Re: Transport and packaging security standards?

[Christopher Ferris <chris.ferris@east.sun.com>]

All,

The security section in the ebXML Message Service specification
deals only with the identification and description of the various
profiles, declaring XMLDSIG as the REQUIRED technology for signing
the ebXML Message (header and payload), and providing a "binding" 
for XMLDSIG signing of header and payload.

The spec should be published to the trp list on Monday. David B
is just putting the last finishing touches on the doc (incorporating
changes agreed in the face2face).

The cut of the security section in v0.9 of the MS spec included much
of Maryann's initial draft, but this has been removed as it rightly
belongs in the TA document/appendix/addendum. This should deal with
the overall description of security through the stack, the description
of the risks and countermeasures, etc.

The current draft (v0.92) does not address the security profiles for
signing payload as it was felt that this wasn't normative since the 
payload is opaque to the MSH. The descriptions of S/MIME (and PGP/MIME)
signing *could* be prepared as non-normative appendicies to the MS spec
if people feel that this is important.

As for volunteers, I'm on board to help in any way I can.

Cheers,

Chris 
Maryann Hondo wrote:
> 
> Dick,
> i believe security  was removed from version 8, but
> was back in version 9 with the proposal  from chris, but i'm not sure where
> it stands after the face to face
> this week
> 
> Scott,
> just for background, security has been bouncing around a bit....
> 
> originally we started defining security for "trp payloads", and including
> CPP profiles for SMIME & PGP
> in the trp spec
> 
> we left combined security on the header, optional routing headers and the
> payload for a future version...
> but this  left us with the fact that the payload should just be a "blob"
> from the transport & packaging perspective
> which meant the security parts didn't belong in TRP but in the Trading
> Partner sub-group which will provide
> the tags for security in the cpp (but we needed to co-ordinte moving these
> sections to the tp spec which I believe
> dale is doing)
> 
>  and chris ferris then  put forward a proposal for a default profile for
> signing the header & payload using XML DSIG, which I believe was accepted
> by the trp group on the last call but i'n not sure which version of the
> document will include this
> 
> one issue outstanding for TRP is how to provide authentication or
> authorization and we are looking
> to the evolution of S2ML "tokens" in the header as a possible solution.
> 
> hope this helps.
> 
> due to the fact that i broke my right wrist, i'm not sure when i'll be able
> to produce a document, i'm
> trying to rustle up some help......want to volunteer???????
> 
> maryann
> 
> Dick Brooks <dick@8760.com> on 01/12/2001 11:27:40 AM
> 
> Please respond to dick@8760.com
> 
> To:   "Parnell, Scott" <Scott.Parnell@usa.xerox.com>,
>       ebxml-transport@lists.ebxml.org
> cc:
> Subject:  RE: Transport and packaging security standards?
> 
> Scott,
> 
> All the security related verbiage was moved from the TRP spec to the
> security spec, which Maryann Hondo mailto:mhondo@us.ibm.com is leading up.
> 
> Dick Brooks
> Group 8760
> 110 12th Street North
> Birmingham, AL 35203
> dick@8760.com
> 205-250-8053
> Fax: 205-250-8057
> http://www.8760.com/
> 
> InsideAgent - Empowering e-commerce solutions
> 
> > -----Original Message-----
> > From: Parnell, Scott [mailto:Scott.Parnell@usa.xerox.com]
> > Sent: Friday, January 12, 2001 9:06 AM
> > To: 'ebxml-transport@lists.ebxml.org'
> > Subject: Transport and packaging security standards?
> >
> >
> > Message-id:
> >
> <B08661D21F0FD311A21A00805FC7D6500154D5F5@usa0845ms1.svcdoc.mc.xerox.com>
> > MIME-version: 1.0
> > X-Mailer: Internet Mail Service (5.5.2650.21)
> > Content-type: text/plain
> > Content-transfer-encoding: 7BIT
> > List-Owner: <mailto:ebxml-transport-help@lists.ebxml.org>
> > List-Post: <mailto:ebxml-transport@lists.ebxml.org>
> > List-Subscribe:
> > <mailto:ebxml-transport-request@lists.ebxml.org?body=subscribe>
> > List-Unsubscribe:
> >  <mailto:ebxml-transport-request@lists.ebxml.org?body=unsubscribe>
> > List-Archive: <http://lists.ebxml.org/archives/ebxml-transport>
> > List-Help: <http://lists.ebxml.org/doc/email-manage.html>,
> >  <mailto:ebxml-transport-request@lists.ebxml.org?body=help>
> >
> > I found this quote apparently originating from Dick Brooks:
> >
> > >- The ebXML packaging spec references S/MIME (RFC 2633) and PGP/MIME
> (RFC
> > >2015) standards for encryption and digital signature and the ebXML
> header
> > >spec references XML Dsig for more granular signature requirements than
> > >provided by RFC 2633 and RFC 2015;
> >
> > at: http://lists.ebxml.org/archives/ebxml-awareness/200007/msg00010.html
> >
> > but when I couldn't find any reference to specific security mechanisms in
> > the 0.8 release of the Transport, Routing, and Packaging spec. The
> closest
> > reference I could find was to a document titled "ebXML Message Services
> > Security Specification." and a comment that it is under
> > development If this
> > is where it will be defined, is there any outlook on when this
> > document will
> > be publically available?
> >
> > Regards,
> > Scott
begin:vcard 
n:Ferris;Christopher
tel;cell:508-667-0402
tel;work:781-442-3063
x-mozilla-html:FALSE
org:Sun Microsystems, Inc;XTC Advanced Development
adr:;;One Network Drive;Burlington;Ma;01803-0903;USA
version:2.1
email;internet:chris.ferris@east.sun.com
title:Senior Staff Engineer
fn:Christopher Ferris
end:vcard