OASIS ebXML Messaging Services TC

 View Only
  • 1.  RE: [ebxml-msg] A question about authorisation [SEC=UNCLASSIFIED]

    Posted 07-01-2013 04:44
    Hi Pim,               Thanks for pointing me at that. I understand that a little better now. SAML is most suited to the primary header. To use it in a secondary header, it would have to be used to sign something. Like an X.509 Certificate, the credential must be exercised to establish ownership.   To give me a little more context on how authorisation works in a hub scenario, with a Pull request, if I have a hub holding a number of messages destined for different Receiving MSHs waiting to be collected is in normal that: ·          Messages would be placed in separate MPCs for each Receiving MSH; or ·          Messages would be in a single MPC with an authorisation mechanism determining which Receiving MSH could pick up which message (not that I have found this in the standard); or ·          Some other way?   Am I on the right track or missing something?   Regards, Ian Otto.  


  • 2.  RE: [ebxml-msg] A question about authorisation [SEC=UNCLASSIFIED]

    Posted 07-01-2013 20:10
    ? Hello Ian,   In my interpretation of how Pull should work the approach to take would be the one described in your first bullet point.    But this is something we should discuss on the call with the people who were around when this was added to the spec, as your email is a reminder that I had a related question on Pull that I will file a Jira item for.   Pim From: ebxml-msg@lists.oasis-open.org [mailto:ebxml-msg@lists.oasis-open.org] On Behalf Of Otto, Ian Sent: 01 July 2013 06:44 To: 'Pim van der Eijk'; ebxml-msg@lists.oasis-open.org Subject: RE: [ebxml-msg] A question about authorisation [SEC=UNCLASSIFIED] Hi Pim,               Thanks for pointing me at that. I understand that a little better now. SAML is most suited to the primary header. To use it in a secondary header, it would have to be used to sign something. Like an X.509 Certificate, the credential must be exercised to establish ownership.   To give me a little more context on how authorisation works in a hub scenario, with a Pull request, if I have a hub holding a number of messages destined for different Receiving MSHs waiting to be collected is in normal that: ·          Messages would be placed in separate MPCs for each Receiving MSH; or ·          Messages would be in a single MPC with an authorisation mechanism determining which Receiving MSH could pick up which message (not that I have found this in the standard); or ·          Some other way?   Am I on the right track or missing something?   Regards, Ian Otto.  


  • 3.  RE: [ebxml-msg] A question about authorisation [SEC=UNCLASSIFIED]

    Posted 07-01-2013 20:41
    ? By the way,  an enhanced more fine-grained approach to pull authorization is defined in section 5.1 of ebMS 3.0 Part 2:   http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/part2/201004/ebms-v3-part2.pdf     This offers a way to specify the equivalent of dequeue conditions in some messaging products.   AS4 does not require this feature ..   Pim From: ebxml-msg@lists.oasis-open.org [mailto:ebxml-msg@lists.oasis-open.org] On Behalf Of Otto, Ian Sent: 01 July 2013 06:44 To: 'Pim van der Eijk'; ebxml-msg@lists.oasis-open.org Subject: RE: [ebxml-msg] A question about authorisation [SEC=UNCLASSIFIED] Hi Pim,               Thanks for pointing me at that. I understand that a little better now. SAML is most suited to the primary header. To use it in a secondary header, it would have to be used to sign something. Like an X.509 Certificate, the credential must be exercised to establish ownership.   To give me a little more context on how authorisation works in a hub scenario, with a Pull request, if I have a hub holding a number of messages destined for different Receiving MSHs waiting to be collected is in normal that: ·          Messages would be placed in separate MPCs for each Receiving MSH; or ·          Messages would be in a single MPC with an authorisation mechanism determining which Receiving MSH could pick up which message (not that I have found this in the standard); or ·          Some other way?   Am I on the right track or missing something?   Regards, Ian Otto.