ebxml-msg-comment message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [ebxml-msg-comment] Re: [ebxml-cppa-comment] A "Trivial"Securee-business Question
- From: "Monica J. Martin" <monica.martin@sun.com>
- To: Anders Rundgren <anders.rundgren@telia.com>
- Date: Thu, 06 Mar 2003 12:24:58 -0700
One word from experience, some time ago there were efforts to identify
just how many organizational numbering systems existed worldwide. DUNS
is only one of 20 at a minimum. Do we intend to support them all here?
In addition, the level of specificity of the DUNS may not be to a system
but an organization (for example, reference DUNS+4).
Thanks.
Anders Rundgren wrote:
> Thanx Dale,To put DUNS numbers in DNs is indeed possible but a problem
> is how to inform the software (and users) that the object actually is
> a DUNS number without creating an arbitrary amount of special DN
> attributes. In case you are interested, I have initiated an (not yet
> sanctioned) IETF draft effort to address this as well as many other
> issues related to the mapping of PKI to business systems. It exploits
> the fact that practically all commercial CAs as well as most
> professionally run private CAs, implicitly form a two-level
> architecture where the CA cert/key vouches for a certain issuance and
> associated name space (like VeriSign's web-server CA that vouches for
> DNS host names together with associated owner and nothing else). By
> making this de-facto scheme explicit, a foundation for a more robust
> PKI-to-business-system-mapping is created. To get back to DUNS, such
> numbers would to preferably be expressed like
> http://xmlns.dnb.com/D-U-N-S : 678456123 where the first part would be
> stored at the CA-level, and the actual DUNS number using an existing
> DN attribute, at the end-entity-level. Well, it is up to D&B to
> define the actual name-space but something according to these lines is
> a more "XML-ish" and future-proof way than using special codes to
> identify DUNS. There are maybe thousands of possible name-spaces
> possible as even a company could (I really hope not) define
> name-spaces for employees, clients, whatever. It seems that the URI
> is nowadays the only truly universal way to identify objects with, so
> it is (about) time for business to adopt this as well. As we can keep
> our legacy EAN, DUNS, VAT, and SIREN numbers as they are today, this
> step in not that big. Although some standards institutions may
> object. BTW, I would be very happy to get a co-editor or just a
> reviewer on this draft... BestAnders Rundgren
>
> ----- Original Message -----
> From: Dale Moberg
> To: Anders Rundgren ; ebxml-msg-comment@lists.oasis-open.org
> ; ebxml-cppa-comment@lists.oasis-open.org
> Cc: ebxml-cppa@lists.oasis-open.org ;
> ebxml-msg@lists.oasis-open.org ;
> ebxml-jc@lists.oasis-open.org
> Sent: Thursday, March 06, 2003 17:46
> Subject: RE: [ebxml-cppa-comment] A "Trivial" Secure
> e-business Question
>
>
> Hi Anders,
> Thanks for your question. I will be adding it to
> the CPPA agenda at our upcoming face to face in
> San Diego Mar 10 to 14.
> Actually this issue was raised during the ebXML TA
> Risk and Security analysis group.
> The possibility exists for multiple partyIds being
> used in both Messaging and CPPA. The systems for
> identification of a subject are varied and CPPA
> has a draft discussing some of the alternatives.
> Then system configurations can add the
> Distinguished Name (DN) system of X.509 as one
> "type" of PartyId, and use the IETF's string
> serialization of DN to carry values. In that way
> we can convey multiple IDs for the party
> (=subject) , without imposing constraints on the
> DN in the certificate itself.
>
> I t might, however, be worthwhile exploring
> conventions for how users of one PartyID naming
> scheme make use of, say, DUNS numbers in a DN
> Like you, I am not certain either how to obtain a
> consensus for such a convention or how to gain
> sanction for that convention-- that is, what
> standards body approval would be appropriate. Also
> would the same DN be used in the possibly distinct
> certificates involved in SSL/TLS, digital
> signature on a message, application security and
> so on?
>
> T he DNS name is one that is now used within
> SSL/TLS, to identify a server. That keypair is
> usually under tight control of the server and it
> can be a job to make it available to other
> applications unless they both support pkcs12
> export/import (and even then it can be a job!!).
>
> S o it is definitely worth considering at the face
> to face, and I will also try to raise the issue
> during the joint meetings next Wednesday with
> Messaging.
> Dale Moberg
>
> ---------------------------------------------------
> Question: How should the identity as expressed in
> a business document relate to the identity as
> expressed by the signer's certificate?
> ---------------------------------------------------
>
> Among the complications we find
>
> 1. The PKI-identity is presumably "strong" as it
> is vouched for by a CA, while the identity in
> the business document is only "claimed" by
> the entity itself. ==> The PKI identity is
> governing?
> 2. The hierarchical naming system used by PKI
> (X.500) is completely different to the
> various naming schemes used in businesses.
> 3. Some PKI-folks claim that signatures should
> be tied to individuals. Does this mean that
> the signer's certificate in the sample should
> identify John Doe of Big Buyer Corp.?
> 4. The receivers (relying parties) are automated
> processes supposed to securely handle similar
> messages from numerous business parties.
> 5. Current e-commerce standards like ebXML and
> Web Services does not address this basic
> question.
>
> One can note that the only PKIs working on a
> global scale, are building on a one-to-one
> identity mapping between the entity's perceived
> identity and the identity as expressed in the
> certificate. Yes, I of course refer to e-mail and
> web-server certificates. Other aspiring users of
> PKI, like e-commerce, have not even begun to look
> into this issue as apparently nobody feels that it
> is "their business". Who are we wainting for?
> The IETF, OASIS, W3C, EU, or the UN? Or are we
> maybe waiting for Microsoft and VeriSign?.
>
> A LONG-TERM REMEDY
>
> To create a foundation for a more robust and
> "frictionless" PKI-secured e-business, I strongly
> believe that there long-term should be a
> one-to-one mapping between [basic] business
> message identities and certificate identities. As
> the business community is never going to adopt
> X.500 naming, as well as having their own naming
> problems, this will likely require changes on both
> sides. A possible scheme using the currently only
> globally functioning naming system (DNS/URIs), is
> that entities are uniquely defined by two
> elements:
>
> - A naming domain (name space) based on a URI
> like: "http://www.visa.com/cc"
> - A local identifier in that domain like:
> 4555-5555-2244-8888
>
> Although the example identified a credit-card, the
> scheme works for just about any kind of object or
> entity. An advantage of using HTTP URIs is that
> you usually can get further information "by
> clicking on the link".Regards
> Anders Rundgren
> Senior Internet e-commerce Architect+46 70 - 627
> 74 37
>
>
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>
����
����
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]