ebxml-ta-security message


OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

Subject: Re: Risk Assessment v0.3.5


The Quality Review team reviewed the document "ebXML Technical Architecture
Risk Assessment v0.3.5" as submitted by the Security team on March 23rd.

Firstly, we have no real concerns with the quality of this document.  Under
other circumstances this would be readily approved for public review.

However, at this stage we recommend some modifications be made prior to public
review of this document.

Our concerns lie with the potential public reaction to some of this material
(ie. the "spin" it gives to security risks).

As is clearly stated, this material has a primary audience of those parties
involved in developing the ebXML technical specifications.  For this audience,
it is completely appropriate to identify gaps in the current ebXML
specifications (eg line 311,325-327, 465-466, 611-617, etc.).

Unfortunately, this document has a wider audience in that it includes those
parties implementing ebXML solutions (and also the analysts and consultants
supporting any implementations).  In its current style, this material paints a
fairly bleak picture of the deficiencies in ebXML security mechanisms.  This
may create some unjustified impressions and unwarranted feedback that may
distract from the primary function of this material.

We acknowledge that this is a matter of perspective.  This document is, in one
sense, a quality review of the security aspects across the ebXML
specifications.  It looks for (and finds) the holes in the work to date, and
identifies future requirements.

We would like the Security team to create an 'executive overview' section at
the start of the document to:
1. Describe the real security risks with any B2B application.
2. Point out the perspective taken by the team (ie looking for weaknesses not
strengths).
3. The role of this material as a review of current specifications.
4. "Sell" the document to non-security experts.

At the same time as this matter is addressed we would like the Security team
to consider some other (lesser) issues we have identified.  These are
identifed in the report attached.


Maryann Hondo wrote:

> Attached you will find the final working draft of the
> ebXML Technical Architecture Risk Assessment, version 0.3.5
> that we hereby formally submit to QRT for formal review.
>
> (See attached file: ebXML_sec_v0.3.5.doc)
> Maryann
>
>   ------------------------------------------------------------------------
>                            Name: ebXML_sec_v0.3.5.doc
>    ebXML_sec_v0.3.5.doc    Type: Download File (application/msword)
>                        Encoding: base64

--
regards
tim mcgrath
TEDIS   fremantle  western australia 6160
phone: +618 93352228  fax: +618 93352142

risk.pdf



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Search: Match: Sort by:
Words: | Help

Powered by eList eXpress LLC