[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Security - question about nonrepudiation
Sorry - forgot to include ebxml-cppa on my response. ************************************************************************************* Martin W. Sachs IBM T. J. Watson Research Center P. O. B. 704 Yorktown Hts, NY 10598 914-784-7287; IBM tie line 863-7287 Notes address: Martin W Sachs/Watson/IBM Internet address: mwsachs @ us.ibm.com ************************************************************************************* ---------------------- Forwarded by Martin W Sachs/Watson/IBM on 07/31/2001 06:42 PM --------------------------- Martin W Sachs 07/31/2001 06:40 PM To: "Collier, Timothy R" <timothy.r.collier@intel.com> cc: From: Martin W Sachs/Watson/IBM@IBMUS Subject: Re: Security - question about nonrepudiation (Document link: Martin W. Sachs) Tim, The attributes in the BPSS instance document don't say anything about how to actually do nonrepudiation. The CPP/CPA is precisely where the two partners agree on what standard to use (actually XML DSIG is the only one we support) and various details of XML DSIG such as certificates, signature algorithm, transforms, etc. There are some questions as to whether what is in the CPP/CPA is correct and whether it is comprehensive enough to, for example, cover the application-level response, signing of payload vs signing of the entire message, and the signals that may need to be signed. Some of these questions are covered in my new.work document and the previous Changes document. Others may be called out in the ebXML Risk Assessment document. It does need a thorough going over. Regards, Marty ************************************************************************************* Martin W. Sachs IBM T. J. Watson Research Center P. O. B. 704 Yorktown Hts, NY 10598 914-784-7287; IBM tie line 863-7287 Notes address: Martin W Sachs/Watson/IBM Internet address: mwsachs @ us.ibm.com ************************************************************************************* "Collier, Timothy R" <timothy.r.collier@intel.com> on 07/31/2001 05:25:40 PM To: ebxml-cppa@lists.oasis-open.org cc: Subject: Security - question about nonrepudiation All, If two parties agree on complimentary roles within a process specification, and agree on the document properties (in particular signing) don't the nonrepudiation elements in the delivery channel characteristics become superfluous? After all, the parties have agreed on a process specification that includes acknowledgement of receipt, and they have agreed on which documents have signatures attached (in the document exchange). To me NRR sounds like a requirement on the BP, and NRO is a document requirement for digital signature. I have heard that the delivery channel is an implementation convenience, which is ok, but it seems even for that the authenticated tag covers the digital signature requirement. And the implementation already is monitoring the runtime process according to the BPSS. Do you think the nonrepudiation tags in the delivery channel express unique requirements that are not already covered? Tim ------------------------------------------------------------------ To unsubscribe from this elist send a message with the single word "unsubscribe" in the body to: ebxml-cppa-request@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC