[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: sorry....forgot a few things.....
Firstly the use of XMLSignature is a question of when not if. We should use
it sooner rather than later if we can assume that:
1. The spec is final and won't change, and
2. Production quality interoperable solutions are available that can be used
by developers
The issue then becomes is do we still need to support MIME ... I honestly
don't know the answer to that one.
Secondly Chris talks about us being neutral about what you sign in the
payload. I agree, however we should specify for interoparability reasons:
1. Where in the message structure a "message level" signature goes, and
2. How to identify, construct, locate and validate it
A "message level" signature is one which binds together the various parts of
an ebXML Message (header, payload, even transport maybe.
My $0.02c ...
David
-----Original Message-----
From: Christopher Ferris [mailto:chris.ferris@east.sun.com]
Sent: Tuesday, November 28, 2000 7:42 PM
To: yanqin xu; ebxml-ta-security@lists.ebxml.org
Subject: Re: sorry....forgot a few things.....
Jenny,
IBM has an XMLSignature package available through
their alphaworks website:
http://alphaworks.ibm.com/tech/xmlsecuritysuite
I have actually been exploring the possibilities
for use of DSig to sign the ebXML headers and payload
for that matter.
As to your first question:
Our objective is to keep the signing agnostic
and independent of any specific transport (keeping
in mind that ebXML TR&P Message Service itself
is not specific to any particular transport).
As to your second query, I'm not sure that
I understand the nature of your question. Are
you suggesting that certain elements of the
payload might be signed using a different
algorithm and/or certificate than others? What am I
missing?
Cheers,
Chris
yanqin xu wrote:
>
> Hi, Maryann,
>
> I don't know if we can put the following two items into our future
> discussion agenda, if there is no time for it in the Boston f2f meeting:
>
> [1] Digital signing and certification in message level or header level are
> ebXML specific. How will this impact the interoperability between ebXML
and
> any other transport standard in the future? How will this impact the
> conformance between any other standard and ebXML?
>
> [2] Can we think about special signature and certificate for some elements
> that require more securities, for example, catalog item price, purchase
> order price, bank transaction amount, or invoice "total" amount?
>
> Except these, I have a question to ask everybody in the team. That is,
>
> Does anybody know if there are APIs that can handle XML document element
> level digital signature and certificates? If there are such APIs, please
let
> me know where I can find it.
>
> Thanks.
>
> Regards,
>
> Jenny Xu
>
> >From: Maryann Hondo <mhondo@us.ibm.com>
> >To: ebxml-ta-security@lists.ebxml.org
> >Subject: sorry....forgot a few things.....
> >Date: Tue, 28 Nov 2000 15:28:57 -0500
> >
> >One, the requirements,
> >
> >(See attached file: Security Requirements for TRP.doc)
> >
> >
> >Two,
> >
> >we need to put Farrukh's proposal on the agenda.....
> >
> >
> >Three,
> >
> >we need to approve the glossary
> >(See attached file: glossary-proposal.doc)
> >
> >
> >(maybe we should order dinner in)
> ><< SecurityRequirementsforTRP.doc >>
> ><< glossary-proposal.doc >>
>
>
____________________________________________________________________________
_________
> Get more from the Web. FREE MSN Explorer download :
http://explorer.msn.com
--
Christopher Ferris
_/_/_/_/ _/ _/ _/ _/ Sr Staff Engineer - XTC Advanced Development
_/ _/ _/ _/_/ _/ Phone: 781-442-3063 or x23063
_/_/_/_/ _/ _/ _/ _/ _/ Email: chris.ferris@East.Sun.COM
_/ _/ _/ _/ _/_/ Sun Microsystems, Mailstop: UBUR03-313
_/_/_/_/ _/_/_/ _/ _/ 1 Network Drive Burlington, MA 01803-0903
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC