RE: Security Discussion: Changed Agenda: Teleconference :12/21/200012:30-4pm CDT : RIM discussion follow-up

[Krishna Sankar <ksankar@cisco.com>]

Hi,

	I agree with you that we should not start another XML structure to carry
the UN/PW. I think the S2ML might be a good candidate. There area few issues
:

	a)	The standard is not yet ready. May be we can use the 0.8 version
	b)	Sending UN/PW adds another security layer. We cannot permit the UN/PW in
the clear.
	c)	A third issue is the intermediaries like the hub; can they see the UN/PW
? If so, again, we have a security issue.

	just my 2 yens !

cheers

> -----Original Message-----
> From: Burdett, David [mailto:david.burdett@commerceone.com]
> Sent: Wednesday, December 27, 2000 9:37 AM
> To: ebXML Transport (E-mail)
> Cc: 'ebxml-ta-security@lists.ebxml.org'
> Subject: FW: Security Discussion: Changed Agenda: Teleconference :
> 12/21/200012:30-4pm CDT : RIM discussion follow-up
>
>
> I'm forwarding this to the transport list from the security list.
>
> I agree with Zahid that there should be a way inside ebXML headers to
> include UserId and Password authentication. I don't think that we should
> reinvent the wheel though.
>
> Thoughts?
>
> David
>
> -----Original Message-----
> From: Ahmed, Zahid
> Sent: Wednesday, December 20, 2000 1:40 PM
> To: Krishna Sankar; ebxml-regrep@lists.ebxml.org;
> ebxml-ta-security@lists.ebxml.org
> Subject: RE: Security Discussion: Changed Agenda: Teleconference : 12/21
> /200012:30-4pm CDT : RIM discussion follow-up
>
>
> > 	Just a few points :
> >
> > 	1.	No need for UN/PW
>
> I'm concerned that we are not supporting a simple password
> authentication mechanism which will be very useful for a
> wide range of clients. Cert-based auth is stonger, but more
> for simple lookups it is heavy wieght for many apps. We
> should consider password authentication as an option also
> because most LDAPs/Databases (and other Reg/Rep efforts, e.g.,
> UDDI) will support it.
>
> thanks,
> Zahid
>
>
>
>
>
>
> > -----Original Message-----
> > From: Krishna Sankar [mailto:ksankar@cisco.com]
> > Sent: Wednesday, December 20, 2000 1:26 PM
> > To: ebxml-regrep@lists.ebxml.org; ebxml-ta-security@lists.ebxml.org
> > Subject: RE: Security Discussion: Changed Agenda: Teleconference :
> > 12/21/200012:30-4pm CDT : RIM discussion follow-up
> >
> >
> > Chris,
> >
> > 	Exactly. My suggestion (like yours and others) is to get enough
> > functionalities thru the current documents and move forward. No new
> > services.
> >
> > 	Just a few points :
> >
> > 	1.	No need for UN/PW
> > 	2.	Don't need rot13 either ;-)
> >
> > 	But, looks like there were some discussions at the STC
> > level and if so, it
> > is better for all of us to have a separate security con call
> > and discuss
> > this.
> >
> > 	BTW, I will attend tomorrow's TRP con call for
> > 8:00-9:00 and also the f2f
> > in London. I think all the required basics are there, at some
> > level. We just
> > need to work out the integration and show a path from here to
> > there. We can
> > show that as a part of the regrep security document and refer to your
> > security document at the appropriate places.
> >
> > 	Are you near San Jose ? If so, we could meet and hammer
> > this out at a
> > preliminary level. Any suggestions ?
> >
> > 	cheers
> >
> > > -----Original Message-----
> > > From: christopher ferris [mailto:chris.ferris@east.sun.com]
> > > Sent: Wednesday, December 20, 2000 1:06 PM
> > > To: Krishna Sankar
> > > Cc: ebxml-regrep@lists.ebxml.org; ebxml-ta-security@lists.ebxml.org
> > > Subject: Re: Security Discussion: Changed Agenda: Teleconference :
> > > 12/21/200012:30-4pm CDT : RIM discussion follow-up
> > >
> > >
> > > Krishna,
> > >
> > > The TR&P MS spec will have a security section. I have sent an early
> > > draft to the ta-security list and I invite comments/feedback.
> > >
> > > This provides for signing (as well as encryption) of messages
> > > with bindings for XMLDSIG, S/MIME and PGP/MIME. I could add rot13
> > > too if there is interest;-)
> > >
> > > Signing of the message (over a MAC) provides for authentication.
> > > How is this inadequate? I can understand the need to possibly
> > > provide for user/password authentication, but that doesn't have
> > > (IMHO) the requisite strength needed for regrep update access.
> > >
> > > However, S2ML does provide a means of conveying credentials
> > > and they include a mapping for login/password. Maybe we could
> > > lift what gets published in v0.8 to that purpose.
> > >
> > > Bottom line for me is that we NOT reinvent the wheel.
> > >
> > > Cheers,
> > >
> > > Chris
> > >
> > > Krishna Sankar wrote:
> > > >
> > > > Yep, we have the security services group by OASIS and Chris is
> > > right saying
> > > > that we should work with that group - I have expressed my
> > interest in
> > > > participating. As far as I know the S2ML does address
> > some parts and we
> > > > could extend the result of the OASIS working group.
> > > >
> > > > The question is, what do we do for Release 1 ? Especially as
> > > the registry
> > > > requires authentication and sigining of content.
> > > >
> > > > cheers
> > > >
> > > > > -----Original Message-----
> > > > > From: christopher ferris [mailto:chris.ferris@east.sun.com]
> > > > > Sent: Wednesday, December 20, 2000 12:26 PM
> > > > > To: Nieman, Scott
> > > > > Cc: 'ebxml-regrep@lists.ebxml.org'; 'ebxml-stc@lists.ebxml.org';
> > > > > ebxml-ta-security@lists.ebxml.org
> > > > > Subject: Re: Security Discussion: Changed Agenda:
> > Teleconference :
> > > > > 12/21/200 012:30-4pm CDT : RIM discussion follow-up
> > > > >
> > > > >
> > > > > Scott,
> > > > >
> > > > > When the S2ML initiative was announced, people asked if it
> > > > > overlapped with the work being done at ebXML.
> > > > >
> > > > > The correct, IMHO, answer at that time was: S2ML
> > defines security
> > > > > services for authentication and authorization that can
> > be carried
> > > > > over any protocol (e.g. SOAP, XP, ebXML). The OASIS TC
> > formed will
> > > > > be focused on this very set of services.
> > > > >
> > > > > Defining an ebXML Security Service(s) at this time
> > would be, IMHO,
> > > > > doing exactly what S2ML was perceived (incorrectly) of doing...
> > > > > entering a space which is already being addressed by experts in
> > > > > the field in an OPEN forum (OASIS).
> > > > >
> > > > > Now, given that security IS important for RR and that
> > it is currently
> > > > > being defined in TR&P, BP, TP and TA (as an overarching
> > architectural
> > > > > view
> > > > > of the works of the other teams), I think that we
> > should be taking
> > > > > a close look at what is being defined before launching into
> > > yet another
> > > > > specification initiative at this late date in the process.
> > > > >
> > > > > >From my point of view, RR is simply a specialized
> > business process.
> > > > > If the needs of RR are not being addressed by the BP,
> > TP and TR&P
> > > > > specification offerings, then we need to think our work through
> > > > > more carefully and fill in any gaps that may exist.
> > > > >
> > > > > Please, let's not start up yet another splinter group to tackle
> > > > > an issue that MAY already be addressed within the groups
> > > > > already focused on security. If anything, the work MUST be
> > > > > tightly coordinated with the other efforts working on security.
> > > > >
> > > > > Please DO keep in mind that once you start down this path, the
> > > > > next phase you enter will be PKI, and I don't think you want to
> > > > > go there.
> > > > >
> > > > > My $0.02,
> > > > >
> > > > > Chris
> > > > > "Nieman, Scott" wrote:
> > > > > >
> > > > > > To follow-up regarding the StC conversation today, I
> > would like
> > > > > to invite
> > > > > > Rik, Marty, Sid, Nick and anyone else to join the scheduled RR
> > > > > > teleconference tomorrow, to discuss a potential need for a
> > > > > separate ebXML
> > > > > > Security Service, specifically to handle authentication,
> > > encryption, and
> > > > > > decryption needs.   Messages and payloads could be processed
> > > > > through this
> > > > > > service.
> > > > > >
> > > > > > RR is concerned about overlap, and general architectural
> > > > > issues.  At this
> > > > > > time, RR is specifying this functionality, however, this
> > > > > functionality is
> > > > > > also required for normal B2B.  Specifying a single Security
> > > > > Service would
> > > > > > enable RR to focus on role-based authorizations,
> > integrity, etc.
> > > > > >
> > > > > > I would like this discussion to last no more than one hour,
> > > with that
> > > > > > discussion to be the first topic.
> > > > > >
> > > > > > Scott
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Nieman, Scott
> > [mailto:Scott.Nieman@NorstanConsulting.com]
> > > > > > Sent:
> > Tuesday, December 19, 2000 4:35 PM
> > > > > > To: 'ebxml-regrep@lists.ebxml.org'
> > > > > > Subject: Teleconference : 12/21/2000 12:30-4pm CDT :
> > RIM discussion
> > > > > > follo w-up
> > > > > >
> > > > > > Meeting Date: 12/21/2000
> > > > > > Meeting Time: 12:30-4pm CDT (please note CDT)
> > > > > >
> > > > > > The dialup information is:
> > > > > > USA: 800.892.0357
> > > > > > Sorry no toll-free for International callers: usa 612.352.7899
> > > > > > Meeting ID #8186
> > > > > > 25 locations setup
> > > > > >
> > > > > > Agenda: Review the RIM updates based on input from
> > 12/19 telcon.
> > > > > >
> > > > > > Please read the document prior to the call.
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Scott
> > > > >
> >
>