OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ebxml-msg-comment] Re: [ebxml-cppa-comment] A "Trivial"Securee-business Question

Hello all,

Just an implementation-level note on this..

At an international level, DUNS is widespread but is only at legal
entity level (unless you use the less widely adopted DUNS+4).  EAN's GLN
works at all levels and is also quite widely used.

The biggest issue though is that, at a national level, there is usually
some other identifier which makes MUCH more sense to use and that is the
local taxation office defined business number.  At a national level one
can be confident that EVERY business has one and that it is unique - so
it is a perfect identifier.  

For B2B interoperability in Austrlia, a fundamental ID will the ABN
(Australian Business Number).  Every business has one.  Every back
office application records the ABN for itself and its trading partners.
Why would a B2B framework use anything else?  In Australia the most
logical stance is to use ABN for all domestic trade and to encourage any
company engaged in internationl trade to get themselves a DUNS or EAN


Steve Capell
Sydney, Australia
Tel : +61 410 437854

-----Original Message-----
From: Monica J. Martin [mailto:monica.martin@sun.com] 
Sent: Friday, 7 March 2003 6:25 AM
To: Anders Rundgren
Cc: Dale Moberg; ebxml-msg-comment@lists.oasis-open.org;
Subject: Re: [ebxml-msg-comment] Re: [ebxml-cppa-comment] A "Trivial"
Securee-business Question

One word from experience, some time ago there were efforts to identify
just how many organizational numbering systems existed worldwide.  DUNS
is only one of 20 at a minimum.  Do we intend to support them all here?
In addition, the level of specificity of the DUNS may not be to a system
but an organization (for example, reference DUNS+4).


Anders Rundgren wrote:

> Thanx Dale,To put DUNS numbers in DNs is indeed possible but a problem

> is how to inform the software (and users) that the object actually is 
> a DUNS number without creating an arbitrary amount of special DN 
> attributes.  In case you are interested, I have initiated an (not yet
> sanctioned) IETF draft effort to address this as well as many other 
> issues related to the mapping of PKI to business systems.  It exploits

> the fact that practically all commercial CAs as well as most 
> professionally run private CAs, implicitly form a two-level 
> architecture where the CA cert/key vouches for a certain issuance and 
> associated name space (like VeriSign's web-server CA that vouches for 
> DNS host names together with associated owner and nothing else).  By 
> making this de-facto scheme explicit, a foundation for a more robust 
> PKI-to-business-system-mapping is created.  To get back to DUNS, such 
> numbers would to preferably be expressed like 
> http://xmlns.dnb.com/D-U-N-S : 678456123 where the first part would be

> stored at the CA-level, and the actual DUNS number using an existing 
> DN attribute, at the end-entity-level.  Well, it is up to D&B to 
> define the actual name-space but something according to these lines is

> a more "XML-ish" and future-proof way than using special codes to 
> identify DUNS.  There are maybe thousands of possible name-spaces 
> possible as even a company could (I really hope not) define 
> name-spaces for employees, clients, whatever.  It seems that the URI 
> is nowadays the only truly universal way to identify objects with, so 
> it is (about) time for business to adopt this as well.  As we can keep

> our legacy EAN, DUNS, VAT, and SIREN numbers as they are today, this 
> step in not that big.  Although some standards institutions may 
> object. BTW, I would be very happy to get a co-editor or just a 
> reviewer on this draft...  BestAnders Rundgren
>      ----- Original Message -----
>      From: Dale Moberg
>      To: Anders Rundgren ; ebxml-msg-comment@lists.oasis-open.org
>      ; ebxml-cppa-comment@lists.oasis-open.org
>      Cc: ebxml-cppa@lists.oasis-open.org ;
>      ebxml-msg@lists.oasis-open.org ;
>      ebxml-jc@lists.oasis-open.org
>      Sent: Thursday, March 06, 2003 17:46
>      Subject: RE: [ebxml-cppa-comment] A "Trivial" Secure
>      e-business Question
>           Hi Anders,
>           Thanks for your question. I will be adding it to
>           the CPPA agenda at our upcoming face to face in
>           San Diego Mar 10 to 14.
>           Actually this issue was raised during the ebXML TA
>           Risk and Security analysis group.
>           The possibility exists for multiple partyIds being
>           used in both Messaging and CPPA. The systems for
>           identification of a subject are varied and CPPA
>           has a draft discussing some of the alternatives.
>           Then system configurations can add the
>           Distinguished Name (DN) system of X.509 as one
>           "type" of PartyId, and use the IETF's string
>           serialization of DN  to carry values. In that way
>           we can convey multiple IDs for the party
>           (=subject) , without imposing constraints on the
>           DN in the certificate itself.
>           I t might, however, be worthwhile exploring
>           conventions for how users of one PartyID naming
>           scheme make use of, say, DUNS numbers in a DN
>           Like you,  I am not certain either how to obtain a
>           consensus for such a convention or how to gain
>           sanction for that convention-- that is, what
>           standards body approval would be appropriate. Also
>           would the same DN be used in the possibly distinct
>           certificates involved in SSL/TLS, digital
>           signature on a message, application security and
>           so on?
>           T he DNS name is one that is now used within
>           SSL/TLS, to identify a server. That keypair is
>           usually under tight control of the server and it
>           can be a job to make it available to other
>           applications unless they both support pkcs12
>           export/import (and even then it can be a job!!).
>           S o it is definitely worth considering at the face
>           to face, and I will also try to raise the issue
>           during the joint meetings next Wednesday with
>           Messaging.
>           Dale Moberg
>           ---------------------------------------------------
>           Question:  How should the identity as expressed in
>           a business document relate to the identity as
>           expressed by the signer's certificate?
>           ---------------------------------------------------
>           Among the complications we find
>             1. The PKI-identity is presumably "strong" as it
>                is vouched for by a CA, while the identity in
>                the business document is only "claimed" by
>                the entity itself.  ==> The PKI identity is
>                governing?
>             2. The hierarchical naming system used by PKI
>                (X.500) is completely different to the
>                various naming schemes used in businesses.
>             3. Some PKI-folks claim that signatures should
>                be tied to individuals.  Does this mean that
>                the signer's certificate in the sample should
>                identify John Doe of Big Buyer Corp.?
>             4. The receivers (relying parties) are automated
>                processes supposed to securely handle similar
>                messages from numerous business parties.
>             5. Current e-commerce standards like ebXML and
>                Web Services does not address this basic
>                question.
>           One can note that the only PKIs working on a
>           global scale, are building on a one-to-one
>           identity mapping between the entity's perceived
>           identity and the identity as expressed in the
>           certificate.  Yes, I of course refer to e-mail and
>           web-server certificates.   Other aspiring users of
>           PKI, like e-commerce, have not even begun to look
>           into this issue as apparently nobody feels that it
>           is "their business".  Who are we wainting for?
>           The IETF, OASIS, W3C, EU, or the UN?  Or are we
>           maybe waiting for Microsoft and VeriSign?.
>           A LONG-TERM REMEDY
>           To create a foundation for a more robust and
>           "frictionless" PKI-secured e-business, I strongly
>           believe that there long-term should be a
>           one-to-one mapping between [basic] business
>           message identities and certificate identities.  As
>           the business community is never going to adopt
>           X.500 naming, as well as having their own naming
>           problems, this will likely require changes on both
>           sides.  A possible scheme using the currently only
>           globally functioning naming system (DNS/URIs), is
>           that entities are uniquely defined by two
>           elements:
>           - A naming domain (name space) based on a URI
>           like: "http://www.visa.com/cc"
>           - A local identifier in that domain like:
>           4555-5555-2244-8888
>           Although the example identified a credit-card, the
>           scheme works for just about any kind of object or
>           entity.  An advantage of using HTTP URIs is that
>           you usually can get further information "by
>           clicking on the link".Regards
>           Anders Rundgren
>           Senior Internet e-commerce Architect+46 70 - 627
>           74 37

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]