[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [egov] Missing Securty: Update Working Draft for Workflow Standards
> -----Original Message----- > From: Anders Rundgren [mailto:anders.rundgren@telia.com] > Sent: Tuesday, October 05, 2004 11:22 AM > To: Chiusano Joseph > Cc: OASIS eGov list > Subject: Re: [egov] Missing Securty: Update Working Draft for > Workflow Standards > > Joe, > > >Thanks for the additional information. I'm looking at p.2 of your > >document now, and I believe that this can/should be handled through > >some type of contract between the two organizations, with a certain > >level of mutual trust specified. I see this as more of an > operational issue. > > I remain puzzled. Do you mean that: > 1. Purchasing systems do not need to be able to read purchase > orders (Q2)? Of course not. :) > 2. Contracts can eliminate the laws of encryption? > Hopefully not. Of course not. > >Please let me know if there are more specifics either within our > >outside your document that may factor in, that I have not > taken into account. > > You did not apply the described scheme that is the foundation > of the Federal PKI saying that message security is a > client-level-issue using employee encryption certificates > published in directories. If you don't use this, most of the > foundation and motivation is gone. [Please note that the response that follows is not a statement regarding any federal PKI initiative, and is strictly limited to the contents of the document we are discussing] If you believe that this is critical to the issue you are raising in your document, I would recommend that you describe the above concept further within the document itself. According to my interpretation of your document, the strongest message I get from your document is that "publishing employee certificates in directories is not as straightforward as it seems", and "one must take into account various questions (which are listed on p.2)". With only that context (and not going beyond it in any way to make any type of statement regarding areas such as #1 and #2 in your response above), I still believe that the central idea here is inter-organization contracts and trust. I would recommend you consider taking that position and building your argument from there. Again, I'd like to respectfully emphasize that I'm not making any statements beyond the scope of what I've described here. Kind Regards, Joe Chiusano Booz Allen Hamilton Strategy and Technology Consultants to the World > >We can also keep in mind that end-to-end security is much more than > >PKI, and in fact may not even involve PKI at all (as > described in the > >WSS specifications). I know this is something you definitely > know - I'm > >just choosing to point it out for purposes of the thread. > > That is correct, but then we are again not talking about the > Federal PKI architecture which is the e-gov "gold standard" to date. > > Anders R >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]