OASIS ebXML Messaging Services TC

 View Only

RE: Threat assessment, some dissent RE: [ebxml-msg] security pro blemwith ebXML MS

  • 1.  RE: Threat assessment, some dissent RE: [ebxml-msg] security pro blemwith ebXML MS

    Posted 11-09-2001 23:36
    
    Suresh,
    
    You asked "What if another type contract is used?"  That might be another
    can of worms but I think that we can safely put it off until version 77
    since no other such contract has surfaced and Web Services hasn't yet
    figured out the need for agreements.  So, we are dealing with the following
    cases:
    
       CPA
    
       Manually entered configuration information equivalent to a CPA but with
       no automated assurance that what both parties enter is compatible. I
       think that this is what most of us understand as the meaning of "no
       CPA".
    
       No agreement at all.
    
    The proponents of "no agreement at all"  either believe that two parties
    can communicate without compatible configurations or that all the
    configuration information can be carried in the message header.
    
    
    Regards,
    Marty
    *************************************************************************************
    
    Martin W. Sachs
    IBM T. J. Watson Research Center
    P. O. B. 704
    Yorktown Hts, NY 10598
    914-784-7287;  IBM tie line 863-7287
    Notes address:  Martin W Sachs/Watson/IBM
    Internet address:  mwsachs @ us.ibm.com
    *************************************************************************************
    
    
    
    "Damodaran, Suresh" <Suresh_Damodaran@stercomm.com> on 11/09/2001 05:33:48
    PM
    
    To:    "'Dale Moberg'" <dmoberg@cyclonecommerce.com>, James M Galvin
           <galvin@drummondgroup.com>, Christopher Ferris
           <chris.ferris@sun.com>, Rich Salz <rsalz@zolera.com>
    cc:    ebxml-msg@lists.oasis-open.org
    Subject:    RE: Threat assessment,  some dissent RE: [ebxml-msg] security
           pro  blem with ebXML MS
    
    
    
    Dale,
    
    In any case, the MS spec should state clearly what
    kind of security it supports and what it doesn't.
    It definitely is not in the interest of anyone
    to say that ebXML MS provides certain security guarantees,
    when it doesn't. Possibly the security considerations
    section needs a good rewrite, may be other too.
    (Things like CPA will have Content-Type should be in MS spec.
    However, I am not sure MS assumes the uses a CPA.
    What if another type contract is used? Hope I am
    not opening another can of worms:-))
    
    I do hope this subject gets discussed at the F2F.
    
    Regards,
    -Suresh