OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-transport message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: What the Registry needs from TRP Security


Please see below.

Happy holidays,


Krishna Sankar wrote:
> Hi,
>         Here are the stuff registry needs from the TRP to have an effective
> integration. In Chris's words "let the flames begin ..." ;-)
> 1.      Authentication - for now means signed headers (I assume). The TRP spec
> should have the semantics and syntax how to do this. Then the registry can
> say HeaderSignatureRequired in the CPA and use the signature to validate the
> identity of the user.
>         Can we get this by the 0.9 version ?

Yes, using XMLDSIG the header and/or payload can be signed. The blah,
yadda yadda, yadda in the spec will be fleshed out by the time we cut
the version for the POC. 

> 1.a.    Chris had mentioned that Application Services would be available by
> 1.0 - but we need the basics now.

I'm not sure I understand... What do you require?

> 2.      Submitting organizations (SOs) should sign the content. We might need an
> element "PayLoadSignatureRequired" in the CPA for this.

This comes from the TP group and is ultimately something required
by the BP. However, there is something in the CPA now for this.

>         a)      Remember this could be different from the authentication
> certificates/credentials above.

Indeed, but again, when dealing with payload, this is an application
not a MSH issue. If a separate signature is required for the payload,
then the application, or application services layer should perform the 

>         b)      This signature ensures integrity.

I'm not sure I understand... that there be a MAC that is signed?

>         c)      This is required not only for the registry but also for the clients who
> refer to the content for biz critical apps
>         d)      So the content and the signature will be stored.
>         e)      When a client receives a content(which has the content signature (as
> submitted by the SO)as well), it should check the integrity
>         f)      I saw that even the CPP would require a signature for integrity.

Yes, it has one as does the CPA.

>         g)      In this context, the TRP would RECOMMEND the semantics and syntax for
> signing and encryption. One caution here is that the MSH should give the
> content to the Registry along with the signature.

If the payload is signed with a MIME-signing scheme (S/MIME) then the
most certainly provides the application with the object as well as the
to do as it sees fit.

>         h)      I agree that the TRP is payload agnostic. So if the method is not
> specified, the registry will have to specify.

method for what?

>         i)      Also, I know that the three methods (S/MIME,PGP,DSIG) are specified in
> the TRP specs and will be more detailed for the 0.9 version. We need that
> detail - the syntax/binding)

S/MIME is already there. PGP and DSIG will be added after I get back
my ski trip;-)

> cheers
org:Sun Microsystems, Inc;XTC Advanced Development
title:Sr. Staff Engineer
fn:Christopher Ferris

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Search: Match: Sort by:
Words: | Help

Powered by eList eXpress LLC