Subject: Re: Risk Assessment v0.3.5
The Quality Review team reviewed the document "ebXML Technical Architecture Risk Assessment v0.3.5" as submitted by the Security team on March 23rd. Firstly, we have no real concerns with the quality of this document. Under other circumstances this would be readily approved for public review. However, at this stage we recommend some modifications be made prior to public review of this document. Our concerns lie with the potential public reaction to some of this material (ie. the "spin" it gives to security risks). As is clearly stated, this material has a primary audience of those parties involved in developing the ebXML technical specifications. For this audience, it is completely appropriate to identify gaps in the current ebXML specifications (eg line 311,325-327, 465-466, 611-617, etc.). Unfortunately, this document has a wider audience in that it includes those parties implementing ebXML solutions (and also the analysts and consultants supporting any implementations). In its current style, this material paints a fairly bleak picture of the deficiencies in ebXML security mechanisms. This may create some unjustified impressions and unwarranted feedback that may distract from the primary function of this material. We acknowledge that this is a matter of perspective. This document is, in one sense, a quality review of the security aspects across the ebXML specifications. It looks for (and finds) the holes in the work to date, and identifies future requirements. We would like the Security team to create an 'executive overview' section at the start of the document to: 1. Describe the real security risks with any B2B application. 2. Point out the perspective taken by the team (ie looking for weaknesses not strengths). 3. The role of this material as a review of current specifications. 4. "Sell" the document to non-security experts. At the same time as this matter is addressed we would like the Security team to consider some other (lesser) issues we have identified. These are identifed in the report attached. Maryann Hondo wrote: > Attached you will find the final working draft of the > ebXML Technical Architecture Risk Assessment, version 0.3.5 > that we hereby formally submit to QRT for formal review. > > (See attached file: ebXML_sec_v0.3.5.doc) > Maryann > > ------------------------------------------------------------------------ > Name: ebXML_sec_v0.3.5.doc > ebXML_sec_v0.3.5.doc Type: Download File (application/msword) > Encoding: base64 -- regards tim mcgrath TEDIS fremantle western australia 6160 phone: +618 93352228 fax: +618 93352142
Powered by
eList eXpress LLC