OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-cppa message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [ebxml-cppa] Arvola's comments on version 1.01


Marty,

I generally agree with your note, but to clarify regarding the following
sentence:

> It may be perfectly
> reasonable for middleware functions to be viewed as part of the
application
> and, in this case, to perform the decryption.

As I've said before, "I expect that some security-sensitive applications
will call for
transmitting encrypted content between authorized persons or applications,
not just between their respective MSHs.  The latter is more likely to
compromise security, for example by exposing confidential information to
unauthorized persons within an enterprise."

So, when the value of the confidentiality attribute is "true", I believe
that middleware should not decrypt the message on its own, either for
transmission to the business process application or for persistent storage.
I agree that the business process application may well invoke middleware
functionality to perform decryption (which is quite different).

Tony

----- Original Message -----
From: "Martin W Sachs" <mwsachs@us.ibm.com>
To: "Tony Weida" <rweida@hotmail.com>
Cc: "Arvola Chan" <arvola@tibco.com>; "CPPA"
<ebxml-cppa@lists.oasis-open.org>
Sent: Thursday, January 03, 2002 12:25 PM
Subject: Re: [ebxml-cppa] Arvola's comments on version 1.01


>
> Tony,
>
> With respect to item 2, you are raising the question of "what is
middleware
> and what is the application?" From a MSG viewpoint, the application is
> everything above the mythical upper interface of the MSH since the MSH has
> no knowledge of the software structure above it.  It may be perfectly
> reasonable for middleware functions to be viewed as part of the
application
> and, in this case, to perform the decryption.  Most likely, even if the
> code that actually performs the specific business process receives the
> message encrypted, it will invoke a middleware function to do the
> decrypting. So, as with other MSH functions, if the MSH function places
the
> encrypted message in the persistent store, that constitutes delivery to th
e
> application.
>
> Regards,
> Marty
>
>
****************************************************************************
*********
>
> Martin W. Sachs
> IBM T. J. Watson Research Center
> P. O. B. 704
> Yorktown Hts, NY 10598
> 914-784-7287;  IBM tie line 863-7287
> Notes address:  Martin W Sachs/Watson/IBM
> Internet address:  mwsachs @ us.ibm.com
>
****************************************************************************
*********
>
>
>
> Tony Weida <rweida@hotmail.com> on 01/03/2002 10:29:39 AM
>
> To:    Arvola Chan <arvola@tibco.com>, CPPA
>        <ebxml-cppa@lists.oasis-open.org>
> cc:
> Subject:    [ebxml-cppa] Arvola's comments on version 1.01
>
>
>
> Arvola,
>
> Regarding two comments you included for version 1.01 (the version I
> distributed to the list, with changes highlighted):
>
> 1. You commented about lines 339-343: "It was agreed in the joint MSG-CPPA
> meeting in October that the 1.1 CPP/A spec will not address the
> requirements
> for interacting with intermediaries."
>
> I believe the identified text is broadly informational in nature and
> doesn't
> conflict with your comment, so I'd be inclined to remove that comment from
> version 1.02.  Okay?
>
> 2. You commented on the confidentiality attribute, lines 1503-1504) as
> follows: "I think the last part of the sentence "and delivered, encrypted,
> to the application" should be struck out. The encryption might have
> happened
> before the ebXML message is packaged and signed. The middleware on the
> receiver side probably should pass the decrypted payload to the
destination
> application."
>
> In response, I commented: "I thought the intent of this attribute was to
> specify confidential delivery between applications, and thus the sentence
> should remain intact."  Is that agreeable, or shall I record this as an
> issue?
>
> Regards,
> Tony
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>
>
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC