OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

emergency message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [emergency] CAP Visualization (was RE: CAP Developers' Forum...)

> I am curious about the different approaches that are evolving or being
> proposed for determining who are the authorized CAP message
originators
> across various implementation communities and how developers are
intending
> to authenticate their messages when processing CAP. This topic would
be a
> great addition for the implementers guide!

We're currently using smartcards, both for application access, and data
decryption / targeting of files to certain recipients. These are locked
to a single PC, changing the 'what you have/what you know' paradigm to
one of 'what you have/what you own'. ;) 

Now, while it is trivial to secure a piece of data and deliver it to a
certain user (as well as allow the user to verify signatures) on a
one-way network (symkeys and hashes are basically wrappered with RSA
into 'packages') -- i.e. the package and the pipe is secure -- the main
issue (as you mention) is how do we ensure that the content itself is
legit.

Right now users have to sign in to generate CAP alerts at our headend
over a ssl w3 interface. So in terms of an end-to-end entity it is
secure in its containment. But what about data that enters the system
from 3rd parties... I'd be curious to hear others' thoughts on these
issues.

Also, what is the level of security required? We could go so far as to
say that SSL and session logins are unacceptable since we have no way of
telling if it is someone else using the legit user's user/pass -- what's
the tradeoff/sweet-spot for CAP?

Sorry for the rambling.

Cheers
Kon

***********************************************************************************
Information contained in this email message is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the postmaster@nds.com and destroy the original message.
***********************************************************************************

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]