I took a look at the Communication Protocol Bindings section (Appendix B) in
the Message Service Spec. Lines 2843 to 2845 state:
"Both [RFC2246] and [SSL3] require the use of server side digital
certificates. In addition client side certificate based authentication is
also permitted. ebXML Message Service handlers MUST support hierarchical
and peer-to-peer trust models."
Therefore, I think the CPP/A 1.1 spec needs to be fixed to support mutual
authentication.
In addition, lines 2823 to 2828 in the Message Service spec state:
"Implementers MAY protect their ebXML Message Service Handlers from
unauthorized access through the use of an access control mechanism. The HTTP
access authentication process described in "HTTP Authentication: Basic and
Digest Access Authentication" [RFC2617] defines the access control
mechanisms allowed to protect an ebXM L Message Service Handler from
unauthorized access. Implementers MAY support all of the access control
schemes defined in [RFC2617] however they MUST support the Basic
Authentication mechanism, as described in section 2, when Access Control is
used."
More changes to the CPP/A spec will be necessary to support Basic
Authentication. However, I seriously doubt if basic authentication which
sends user name and password in cleartext is suitable for conducting E
business transactions. Perhaps we should lobby the MSG TC to remove the
requirement to support basic authentication in the 1.1 spec.
-Arvola