OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-cppa message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Security - coordination with MSH issues (1 general remark and 1 ontransport encryption )

Tim>>  Please add to the list and when we get close to
the Oct F2F, and it is filled in, I would like to send it to the MSH
team.

OK, that sounds like a good plan. I will start with some additions
below.

Tim>>	One of the biggest things, I think, is to make sure that what
gets
worked on in V1.1 in both MSH and CPPA is consistent.  It would be bad
if
one adds something that is not supported by the other.

I believe that there is a little asymmetry here. The MSH may be
normatively
neutral on, for example, digital enveloping. However, we may wish to
explain
how two collaboration participants can agree upon using some known form
of
digital enveloping (for example, using application/pkcs7-mime and so
forth).

While we want to be certain that we cover CPAs that reflect
all ebXML MSG normative features (mandatory or endorsed or mentioned as
options)
we also want to start laying the groundwork for interoperable extensions
or 
restrictions or modifications of the MSG spec. This reflects the very
high
probability that ebXML MSG functionality could be only part of the total
functionality of deployed software modules providing secure transport
for
b2b data, and that actual CPAs may blend MSG features with other
mutually agreed
upon features. 

Under:
Issue-  Define how encryption works.

One factor in using SSL/TLS I have noticed can cause interoperability
problems
is the insistence of one side on high security (128 bits), and a refusal
to
negotiate down in the handshake. For some of the other parameters you
mention,
for many of these, negotiation in real implementations seems to be
fairly
automatic. I guess one question I have in this area is whether and why
we need to
include agreements on parameters that the SSL handshake process should
itself
negotiate? Is this for some site that has very restrictive policies over
what SSL/TLS options are negotiated? Our working assumption has been
that we
would need to document all those parameters that would need to be agreed
upon
to permit interoperability (at the transport security level). We can
extend
that to embrace parameters that need to be agreed upon because of policy
restrictions. But we would not document values for parameters that are
not
really enduser configurable...

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC