Re: [PartyId "type" negotiation]

[christopher ferris <chris.ferris@east.sun.com>]

Doveryay, no proveryay -- Trust, but verify

Cheers,

Chris

Krishna Sankar wrote:
> 
> Hi,
> 
>         I agree with Prasad on this (and do not differ with William as well ;-)).
> Here are a few of my observations:
> 
>         1.      For all purposes, one need not have full and implicit trust on a
> Registry. The point here is, trust only the ones you need to trust.
> 
>         2.      In normal circumstances, the content would be signed by the Submitting
> Organization and the registry would keep the documents with the signature.
> When one receives a document from the registry, one can determine if one
> wants to trust the document based on the SO's signature.
> 
>                 There could be documents without any signature and the receiving systems
> can trust or reject the document.
> 
>         3.      The Registry does not validate any content. It is more of a central
> store, capable of answering queries about it's repository.
> 
>         4.      The above are the assumptions (or non-assumptions) for a normal registry
> which implements the ebXML specs.
> 
>         5.      Having said all these, I can think of scenarios where one trusts a
> registry.
>                 For example, an organization like D&B or some other commercial entity can
> have a trusted registry service, which validates the content. In this case
> one can trust this RA and the documents would be signed by this RA as well.
> 
>         just my 2c.
> 
> cheers
> 
> |-----Original Message-----
> |From: Prasad Yendluri [mailto:pyendluri@webmethods.com]
> |Sent: Monday, April 02, 2001 8:14 PM
> |Cc: ebxml-tp@lists.ebxml.org
> |Subject: Re: [PartyId "type" negotiation]
> |
> |
> |"William J. Kammerer" wrote:
> |
> |> Prasad Yendluri said "If one party uses arbitrary partyId 'type' (for
> |> their own partyId), the receiving party may not have the framework to
> |> verify the Id to be a valid one per the 'type' (say DUNS)."
> |>
> |> Why would you need to validate the DUNS of your potential trading
> |> partner at all? Wouldn't the registry have done that when the CPP was
> |> registered?
> |
> |Nope! Registry does not "validate" the content submitted to it.
> |
> |> For example, why would a registry knowingly allow someone
> |> to use General Motors' DUNS in a CPP unless the registrant were known to
> |> be General Motors? You should be able to trust the CPP belongs to whom
> |> it purports to belong to, and the registry has a vested interest in
> |> ensuring so.
> |
> |Registry is not responsible for validating all attributes of content you
> |submit. You can submit binary data into registry.
> |
> |> Assuming I trust the registry, I should be able to trust the CPPs
> |> contained within it.
> |
> |That is an incorrect assumption :)
> |
> |>  If a "registry" of the decrepit old EDI model -
> |> say, Sterling Commerce - tells me that Roadway Express is accessible on
> |> their network using either SCAC "RDWY" or DUNS "006998397", then I can
> |> trust them.  If my ISA says send this EDI interchange to whomever has
> |> the SCAC of "RDWY" I want that data only to go to Roadway Express in
> |> Akron, Ohio.  Can't ebXML do the same?
> |>
> |
> |
> |------------------------------------------------------------------
> |To unsubscribe from this elist send a message with the single word
> |"unsubscribe" in the body to: ebxml-tp-request@lists.ebxml.org
> |
> 
> ------------------------------------------------------------------
> To unsubscribe from this elist send a message with the single word
> "unsubscribe" in the body to: ebxml-tp-request@lists.ebxml.org
begin:vcard 
n:Ferris;Christopher
tel;cell:508-667-0402
tel;work:781-442-3063
x-mozilla-html:FALSE
org:Sun Microsystems, Inc;XTC Advanced Development
adr:;;;;;;
version:2.1
email;internet:chris.ferris@east.sun.com
title:Sr. Staff Engineer
fn:Christopher Ferris
end:vcard