Re: [ebxml-cppa] Arvola's comments on version 1.01

[Christopher Ferris <chris.ferris@sun.com>]

+1

Tony Weida wrote:

> Marty,
> 
> I generally agree with your note, but to clarify regarding the following
> sentence:
> 
> 
>>It may be perfectly
>>reasonable for middleware functions to be viewed as part of the
>>
> application
> 
>>and, in this case, to perform the decryption.
>>
> 
> As I've said before, "I expect that some security-sensitive applications
> will call for
> transmitting encrypted content between authorized persons or applications,
> not just between their respective MSHs.  The latter is more likely to
> compromise security, for example by exposing confidential information to
> unauthorized persons within an enterprise."
> 
> So, when the value of the confidentiality attribute is "true", I believe
> that middleware should not decrypt the message on its own, either for
> transmission to the business process application or for persistent storage.
> I agree that the business process application may well invoke middleware
> functionality to perform decryption (which is quite different).
> 
> Tony
> 
> ----- Original Message -----
> From: "Martin W Sachs" <mwsachs@us.ibm.com>
> To: "Tony Weida" <rweida@hotmail.com>
> Cc: "Arvola Chan" <arvola@tibco.com>; "CPPA"
> <ebxml-cppa@lists.oasis-open.org>
> Sent: Thursday, January 03, 2002 12:25 PM
> Subject: Re: [ebxml-cppa] Arvola's comments on version 1.01
> 
> 
> 
>>Tony,
>>
>>With respect to item 2, you are raising the question of "what is
>>
> middleware
> 
>>and what is the application?" From a MSG viewpoint, the application is
>>everything above the mythical upper interface of the MSH since the MSH has
>>no knowledge of the software structure above it.  It may be perfectly
>>reasonable for middleware functions to be viewed as part of the
>>
> application
> 
>>and, in this case, to perform the decryption.  Most likely, even if the
>>code that actually performs the specific business process receives the
>>message encrypted, it will invoke a middleware function to do the
>>decrypting. So, as with other MSH functions, if the MSH function places
>>
> the
> 
>>encrypted message in the persistent store, that constitutes delivery to th
>>
> e
> 
>>application.
>>
>>Regards,
>>Marty
>>
>>
>>
> ****************************************************************************
> *********
> 
>>Martin W. Sachs
>>IBM T. J. Watson Research Center
>>P. O. B. 704
>>Yorktown Hts, NY 10598
>>914-784-7287;  IBM tie line 863-7287
>>Notes address:  Martin W Sachs/Watson/IBM
>>Internet address:  mwsachs @ us.ibm.com
>>
>>
> ****************************************************************************
> *********
> 
>>
>>
>>Tony Weida <rweida@hotmail.com> on 01/03/2002 10:29:39 AM
>>
>>To:    Arvola Chan <arvola@tibco.com>, CPPA
>>       <ebxml-cppa@lists.oasis-open.org>
>>cc:
>>Subject:    [ebxml-cppa] Arvola's comments on version 1.01
>>
>>
>>
>>Arvola,
>>
>>Regarding two comments you included for version 1.01 (the version I
>>distributed to the list, with changes highlighted):
>>
>>1. You commented about lines 339-343: "It was agreed in the joint MSG-CPPA
>>meeting in October that the 1.1 CPP/A spec will not address the
>>requirements
>>for interacting with intermediaries."
>>
>>I believe the identified text is broadly informational in nature and
>>doesn't
>>conflict with your comment, so I'd be inclined to remove that comment from
>>version 1.02.  Okay?
>>
>>2. You commented on the confidentiality attribute, lines 1503-1504) as
>>follows: "I think the last part of the sentence "and delivered, encrypted,
>>to the application" should be struck out. The encryption might have
>>happened
>>before the ebXML message is packaged and signed. The middleware on the
>>receiver side probably should pass the decrypted payload to the
>>
> destination
> 
>>application."
>>
>>In response, I commented: "I thought the intent of this attribute was to
>>specify confidential delivery between applications, and thus the sentence
>>should remain intact."  Is that agreeable, or shall I record this as an
>>issue?
>>
>>Regards,
>>Tony
>>
>>----------------------------------------------------------------
>>To subscribe or unsubscribe from this elist use the subscription
>>manager: <http://lists.oasis-open.org/ob/adm.pl>
>>
>>
>>
>>
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>