OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-cppa message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: SSL Mutual Authentication and the Message Service Spec

I took a look at the Communication Protocol Bindings section (Appendix B) in
the Message Service Spec. Lines 2843 to 2845  state:

"Both [RFC2246] and [SSL3] require the use of server side digital
certificates. In addition client side certificate based authentication is
also permitted. ebXML Message Service handlers MUST support  hierarchical
and peer-to-peer trust models."

Therefore, I think the CPP/A 1.1 spec needs to be fixed to support mutual

In addition, lines 2823 to 2828 in the Message Service spec state:

"Implementers MAY protect their ebXML Message Service Handlers from
unauthorized access through the use of an access control mechanism. The HTTP
access authentication process described in "HTTP Authentication: Basic and
Digest Access Authentication" [RFC2617] defines the access control
mechanisms allowed to protect an ebXM L Message Service Handler from
unauthorized access. Implementers MAY support all of the access control
schemes defined in [RFC2617] however they MUST support the Basic
Authentication mechanism, as described in section 2, when Access Control is

More changes to the CPP/A spec will be necessary to support Basic
Authentication. However, I seriously doubt if basic authentication which
sends user name and password in cleartext is suitable for conducting E
business transactions. Perhaps we should lobby the MSG TC to remove the
requirement to support basic authentication in the 1.1 spec.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC