[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ebxml-msg] A question about authorisation [SEC=UNCLASSIFIED]
By the way, an enhanced more fine-grained approach to
pull authorization is defined in section 5.1 of ebMS 3.0 Part
2:
This offers a way to specify the equivalent of "dequeue"
conditions in some messaging products.
AS4 does not require this feature ..
Pim From: ebxml-msg@lists.oasis-open.org [mailto:ebxml-msg@lists.oasis-open.org] On Behalf Of Otto, Ian Sent: 01 July 2013 06:44 To: 'Pim van der Eijk'; ebxml-msg@lists.oasis-open.org Subject: RE: [ebxml-msg] A question about authorisation [SEC=UNCLASSIFIED] Hi Pim,
Thanks for pointing me at that. I understand that a little better now. SAML is
most suited to the primary header. To use it in a secondary header, it would
have to be used to sign something. Like an X.509 Certificate, the credential
must be exercised to establish ownership. To give me a little more context on how authorisation
works in a hub scenario, with a Pull request, if I have a hub holding a number
of messages destined for different Receiving MSHs waiting to be collected is in
normal that: ·
Messages would be placed in separate MPCs for
each Receiving MSH; or ·
Messages would be in a single MPC with an
authorisation mechanism determining which Receiving MSH could pick up which
message (not that I have found this in the standard); or ·
Some other way? Am I on the right track or missing
something? Regards, Ian Otto. -----Original Message----- Hello Ian, With a pull request there can be two separate WS-Security
headers, one a regular one which can be X.509 based and a separate one for
authorization target to an "ebms" actor/role (see section 7.10 in v3.0
Core). So when you propose a SAML token profile, the question is if it
is used as an alternative for the regular WS-Security header and/or this
separate authorization header. Pim -----Original Message----- From: ebxml-msg@lists.oasis-open.org [mailto:ebxml-msg@lists.oasis-open.org]
On Behalf Of Mr. Ian Otto Sent: 27 June 2013 09:19 To: ebxml-msg@lists.oasis-open.org Subject: [ebxml-msg] A question about
authorisation At yesterday's TC meeting, I received the impression
that X.509 Certificates could not be used for Pull
authorisation. Is that correct? Do you need a username/password for Pull
authorisation? ************************************************************************* The Commonwealth does not warrant that any attachments are free The security of emails transmitted in an unencrypted environment |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]