MHonArc v2.4.5 -->
ebxml-msg message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: [ebxml-msg] RE: [ebxml-cppa-comment] A "Trivial" Secure e-businessQuestion
Title: Message
Question: How should the identity as
expressed in a business document relate to the identity as expressed by
the signer's certificate?
Among the complications we find
- The PKI-identity is presumably "strong" as it is
vouched for by a CA, while the identity in the business document is
only "claimed" by the entity itself. ==> The PKI identity is
governing?
- The hierarchical naming system used by PKI
(X.500) is completely different to the various naming schemes used
in businesses.
- Some PKI-folks claim that signatures should be
tied to individuals. Does this mean that the signer's certificate in
the sample should identify John Doe of Big Buyer Corp.?
- The receivers (relying parties) are
automated processes supposed to securely handle similar messages from
numerous business parties.
- Current e-commerce standards like ebXML and Web
Services does not address this basic question.
One can note that the only PKIs working on a
global scale, are building on a one-to-one identity mapping between the
entity's perceived identity and the identity as expressed in the
certificate. Yes, I of course refer to e-mail and web-server
certificates. Other aspiring users of PKI, like e-commerce,
have not even begun to look into this issue as apparently
nobody feels that it is "their business". Who are we wainting
for? The IETF, OASIS, W3C, EU, or the UN? Or are we maybe waiting
for Microsoft and VeriSign?.
A LONG-TERM REMEDY
To create a foundation for a
more robust and "frictionless" PKI-secured e-business, I strongly believe
that there long-term should be a one-to-one mapping between
[basic] business message identities and certificate identities. As the
business community is never going to adopt X.500 naming, as well as having
their own naming problems, this will likely require changes on both
sides. A possible scheme using the currently only globally
functioning naming system (DNS/URIs), is that entities are uniquely defined by
two elements:
- A naming domain (name space) based on a URI like:
"http://www.visa.com/cc" - A local
identifier in that domain like: 4555-5555-2244-8888
Although the
example identified a credit-card, the scheme works for just about any kind of
object or entity. An advantage of using HTTP URIs is that you usually
can get further information "by clicking on the link".
Regards Anders Rundgren Senior Internet
e-commerce Architect
+46 70 - 627 74
37
|
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]