RE: a strawman proposal for the security discussion at the Dallas faceto face

[mhondo@us.ibm.com]

Eric,

Thanks for your comments.
Could you be a little more specific, though? What work specifically would
you like this
situated in relation to?   Also, what European requirements are you
referring to? I am rather
newly active to this group, though I've worked in security for many years
and to be honest, I struggled
with how to kick this "security" effort off and where to position the TRP
work within a broader context of
security issues.  I was trying not to overwhelm people with a list of
reading material in order to get broad
participation in the requirements definition.

On the "privacy" issue, you are absolutely right, I need to be more
careful.  I tend to use "data privacy"
and "data confidentiality" instead of "data protection" and here I meant
"data privacy".
I did use the IETF glossary for some of the terms like non-repudiation,
maybe I should just reference the
whole thing.  These definitions are a combination of references from the
IETF and a book on Network Security by Charlie Kaufman, Radia Perlman and
Mike Speciner.

Also, with your experience in P3P, how do you think it fits/relates to some
of the ebXML work?
What, if anything, should we include about "privacy" and how would you
define it?
Is this something we need to address in the context of Trading Partner
Agreements?

I'm sorry you won't be there as well.  I'm sure we'll have some active
discussion on the mailing
list and in Tokyo!  I have a lot to learn, too. Again, all
suggestions/comments are welcome.

Maryann

"Brunner, Eric" <EBrunner@Engage.com> on 09/24/2000 09:31:21 AM

To:   "'mhondo@us.ibm.com'" <mhondo@us.ibm.com>,
      ebxml-transport@lists.ebxml.org
cc:
Subject:  RE: a strawman proposal for the security discussion at the Dallas
      face to face



Maryann,

I would appreciate it if you could in the opening paras of the next
go-around of the security strawman, situate the work in the literature,
and/or provide a manditory-to-grok cite for the subsequent discussion.

One term I was surprised by was "privacy" but not "data protection" which
suggests to me that I need to read carefully to be sure that the European
requirements haven't been understated.

The definition (the ability to allow only the intended recipient to read a
message) surprised me also. In the IETF literature (rfc2828), and the P3P
literature (I'm one of the P3P Spec WG participants) the concept described
is "data confidentiality", not "privacy".

I'm sorry I won't be able to attend the F2F @ Dallas Tuesday. I'll offer
more comments as I've a chance to carefully read the strawman proposal.

Eric

-----Original Message-----
From: mhondo@us.ibm.com [mailto:mhondo@us.ibm.com]
Sent: Friday, September 22, 2000 5:20 PM
To: ebxml-transport@lists.ebxml.org
Subject: a strawman proposal for the security discussion at the Dallas
face to face




All,

As discussed on the TRP call, here is a strawman proposal to use in our
discussion of security at
the face to face in Dallas on Tuesday.   Hope it reflects some of the
comments, if not, let me know!

Maryann

(See attached file: Ebxml Security Strawman.doc)