RE: [PartyId "type" negotiation]

[Krishna Sankar <ksankar@cisco.com>]

William,

	Yep, we are not going to trust any arbitrary document. Also, just to point
out, there are degrees of trust depending on the information. <soapbox>
Actually, even now we are only automating manual operations - that way we
are still in the age of ADP (for those young souls, ADP used to mean
"automated data processing" ;-)) When we really leverage the internet, we
would need a lot more security and trust mechanisms</soapbox>

	Yes, if the <partyid> bag is part of the document signed by some entity you
trust, then of course, you can trust the partyid as well.

	Remember, it is not *absolute* that you need signed documents and CPA. For
example if you want just weather condition, you might be Ok with a general
provider. Of course, these days, folks would start feeding you false weather
conditions ;-0

	The ebXML Registry requires a signature somewhere (signed header or signed
payload) to identify and authenticate the Submitting Org. So your and
Prasad's e-mails are true in the sense that ebXML Registry vouches for the
identity of the SO and by association, we can say that the docs are also
trust worthy (so long as we use a trusted pipe like SSL, well infrastructure
is another topic, better dealt with after some sleep ;-))

cheers

|-----Original Message-----
|From: William J. Kammerer [mailto:wkammerer@foresightcorp.com]
|Sent: Monday, April 02, 2001 9:04 PM
|To: ebxml-tp@lists.ebxml.org
|Subject: Re: [PartyId "type" negotiation]
|
|
|Krishna Sankar said "In normal circumstances, the content would be
|signed by the Submitting Organization and the registry would keep the
|documents with the signature. When one receives a document from the
|registry, one can determine if one wants to trust the document based on
|the SO's signature."
|
|Yes, that satisfies me (I think).  I made a slight misstep earlier when
|I said "the CPA is signed by somebody I trust (the Comptroller of the
|Currency, maybe?)."  Actually, I will trust my Bank's signature of the
|CPA, assuming I trust its certificate -  which is a whole different
|matter independent of the CPA, CPP or the registry.
|
|So where's the problem?  In summary, I find the CPA based on a match on
|any one of a number of <partyId> entries, validate the found CPA's
|signature, and proceed from there.  Again, there's no need to "validate"
|the <partyId> by Type - I don't have to go to the ABA for Routing
|numbers, or Dun & Bradstreet for DUNS numbers, or the NMFTA for SCACs.
|I usually have an ID in hand before I even went "shopping" for the CPA
|in the registry.
|
|I agree with Krishna that I don't need "full and implicit trust on a
|Registry." But I do need to trust all information I find in the
|registries, and hence it all must be signed.  There's no information I'm
|willing to send into a rat hole I can't trust, nor am I willing to enter
|into a CPA with anyone for whom I can't validate their CPP.
|
|William J. Kammerer
|FORESIGHT Corp.
|4950 Blazer Pkwy.
|Dublin, OH USA 43017-3305
|+1 614 791-1600
|
|Visit FORESIGHT Corp. at http://www.foresightcorp.com/
|"accelerating time-to-trade"
|
|
|
|------------------------------------------------------------------
|To unsubscribe from this elist send a message with the single word
|"unsubscribe" in the body to: ebxml-tp-request@lists.ebxml.org
|