OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: SSL Mutual Authentication and the Message Service Spec

	"Perhaps we should lobby the MSG TC to remove the
	requirement to support basic authentication in the 1.1 spec."

Agreed.

David Fischer
Drummond Group.

-----Original Message-----
From: Arvola Chan [mailto:arvola@tibco.com]
Sent: Thursday, August 23, 2001 11:41 AM
To: ebxml-cppa@lists.oasis-open.org
Cc: ebxml-msg@lists.oasis-open.org
Subject: Re: SSL Mutual Authentication and the Message Service Spec


I took a look at the Communication Protocol Bindings section (Appendix B) in
the Message Service Spec. Lines 2843 to 2845  state:

"Both [RFC2246] and [SSL3] require the use of server side digital
certificates. In addition client side certificate based authentication is
also permitted. ebXML Message Service handlers MUST support  hierarchical
and peer-to-peer trust models."

Therefore, I think the CPP/A 1.1 spec needs to be fixed to support mutual
authentication.

In addition, lines 2823 to 2828 in the Message Service spec state:

"Implementers MAY protect their ebXML Message Service Handlers from
unauthorized access through the use of an access control mechanism. The HTTP
access authentication process described in "HTTP Authentication: Basic and
Digest Access Authentication" [RFC2617] defines the access control
mechanisms allowed to protect an ebXM L Message Service Handler from
unauthorized access. Implementers MAY support all of the access control
schemes defined in [RFC2617] however they MUST support the Basic
Authentication mechanism, as described in section 2, when Access Control is
used."

More changes to the CPP/A spec will be necessary to support Basic
Authentication. However, I seriously doubt if basic authentication which
sends user name and password in cleartext is suitable for conducting E
business transactions. Perhaps we should lobby the MSG TC to remove the
requirement to support basic authentication in the 1.1 spec.

-Arvola


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC