[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [ebxml-cppa] Arvola's comments on version 1.01
+1 Tony Weida wrote: > Marty, > > I generally agree with your note, but to clarify regarding the following > sentence: > > >>It may be perfectly >>reasonable for middleware functions to be viewed as part of the >> > application > >>and, in this case, to perform the decryption. >> > > As I've said before, "I expect that some security-sensitive applications > will call for > transmitting encrypted content between authorized persons or applications, > not just between their respective MSHs. The latter is more likely to > compromise security, for example by exposing confidential information to > unauthorized persons within an enterprise." > > So, when the value of the confidentiality attribute is "true", I believe > that middleware should not decrypt the message on its own, either for > transmission to the business process application or for persistent storage. > I agree that the business process application may well invoke middleware > functionality to perform decryption (which is quite different). > > Tony > > ----- Original Message ----- > From: "Martin W Sachs" <mwsachs@us.ibm.com> > To: "Tony Weida" <rweida@hotmail.com> > Cc: "Arvola Chan" <arvola@tibco.com>; "CPPA" > <ebxml-cppa@lists.oasis-open.org> > Sent: Thursday, January 03, 2002 12:25 PM > Subject: Re: [ebxml-cppa] Arvola's comments on version 1.01 > > > >>Tony, >> >>With respect to item 2, you are raising the question of "what is >> > middleware > >>and what is the application?" From a MSG viewpoint, the application is >>everything above the mythical upper interface of the MSH since the MSH has >>no knowledge of the software structure above it. It may be perfectly >>reasonable for middleware functions to be viewed as part of the >> > application > >>and, in this case, to perform the decryption. Most likely, even if the >>code that actually performs the specific business process receives the >>message encrypted, it will invoke a middleware function to do the >>decrypting. So, as with other MSH functions, if the MSH function places >> > the > >>encrypted message in the persistent store, that constitutes delivery to th >> > e > >>application. >> >>Regards, >>Marty >> >> >> > **************************************************************************** > ********* > >>Martin W. Sachs >>IBM T. J. Watson Research Center >>P. O. B. 704 >>Yorktown Hts, NY 10598 >>914-784-7287; IBM tie line 863-7287 >>Notes address: Martin W Sachs/Watson/IBM >>Internet address: mwsachs @ us.ibm.com >> >> > **************************************************************************** > ********* > >> >> >>Tony Weida <rweida@hotmail.com> on 01/03/2002 10:29:39 AM >> >>To: Arvola Chan <arvola@tibco.com>, CPPA >> <ebxml-cppa@lists.oasis-open.org> >>cc: >>Subject: [ebxml-cppa] Arvola's comments on version 1.01 >> >> >> >>Arvola, >> >>Regarding two comments you included for version 1.01 (the version I >>distributed to the list, with changes highlighted): >> >>1. You commented about lines 339-343: "It was agreed in the joint MSG-CPPA >>meeting in October that the 1.1 CPP/A spec will not address the >>requirements >>for interacting with intermediaries." >> >>I believe the identified text is broadly informational in nature and >>doesn't >>conflict with your comment, so I'd be inclined to remove that comment from >>version 1.02. Okay? >> >>2. You commented on the confidentiality attribute, lines 1503-1504) as >>follows: "I think the last part of the sentence "and delivered, encrypted, >>to the application" should be struck out. The encryption might have >>happened >>before the ebXML message is packaged and signed. The middleware on the >>receiver side probably should pass the decrypted payload to the >> > destination > >>application." >> >>In response, I commented: "I thought the intent of this attribute was to >>specify confidential delivery between applications, and thus the sentence >>should remain intact." Is that agreeable, or shall I record this as an >>issue? >> >>Regards, >>Tony >> >>---------------------------------------------------------------- >>To subscribe or unsubscribe from this elist use the subscription >>manager: <http://lists.oasis-open.org/ob/adm.pl> >> >> >> >> > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC