RE: [ebxml-msg-as4] CEM for AS4

["Moberg Dale" <dmoberg@axway.com>]

 

 

---

From: Timothy Bennett [mailto:timothy@drummondgroup.com]
Sent: Tuesday, January 27, 2009 9:25 AM
To: ebxml-msg-as4@lists.oasis-open.org
Cc: Duker, John
Subject: [ebxml-msg-as4] CEM for AS4

 

Let me preface this by clearly stating that this is *not* a proposal for a new feature to be added to AS4 at the 11th hour.  But, it is a survey of opinion and thoughts...

I got an email (and Jacques was CC'd on it) from Wim de Olde, who is the Secretary of the EASEE-gas Technology Standards Working Group (www.easee-gas.org).  They have introduced AS2 into the European energy exchange market in the past and find that CEM (Certificate Exchange Messages) to be required for large-scale deployments with 100s of trading partners.

Wim's group apparently is tracking the development of AS4 with considerable interest, and he didn't think that AS4 is requiring CEM or any kind of CEM-like functionality -- which he is correct about.  His opinion is that AS4 should require this kind of functionality.

So, my questions to the group are:

1. What is your opinion on AS4 requiring some kind of certificate exchange?

I assume you mean that implementations are required to support. It is OK but it will need some profiling or maybe a new informational RFC to work. Remember that the signature on CEM is CMS (pkcs7-like) while  AS4 will be using XMLDigitalSignature and XMLEncryption as profiled by WSS. Also the required metadata values will differ between AS2 and AS4. 

2. I'm guessing there might be one or more Web services standards that define and specify something similar to CEM.  Is there?  What are those standard(s)? What status do those standards have with respect to maturity and uptake in the WS community?

WS-Trust is in the ballpark but actually goes a bit beyond what CEM does (which mainly provides a renewal of expired certificate service)

“In this specification we define extensions to [WS-Security] that provide:

·         Methods for issuing, renewing, and validating security tokens.

·         Ways to establish assess the presence of, and broker trust relationships. 

Using these extensions, applications can engage in secure communication designed to work with the general Web services framework, including WSDL service descriptions, UDDI businessServices and bindingTemplates, and [SOAP] [SOAP2] messages.

 To achieve this, this specification introduces a number of elements that are used to request security tokens and broker trust relationships.”

3. What kind of effort would it be for this group to add support for this functionality to the profile given #2 above assuming there is consensus around #1?

WS-Trust has not been subject to WSI directly at this point. An updated version is just now being approved.

4. What kind of implementation effort are we talking about for AS4 product developers?

Defer to Ric. But…

 It will probably be a full rewrite or reuse with refactoring at best. Not huge, but not trivial. And we would need to agree on the approach first and then maybe a scope of effort could be estimated. Maybe we could have the EU requirements stated up front so we see whether it would be quicker to write something from scratch, cut and paste CEM into CEM for AS4, or explore ws-trust.  WS-trust is in the spirit of the design goals of ebMS 3, which was to be a b2b set of functionality based on ws-splat defined elements.

 

Dale

Timothy

--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php