[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: SSL Mutual Authentication and the Message Service Spec
I took a look at the Communication Protocol Bindings section (Appendix B) in the Message Service Spec. Lines 2843 to 2845 state: "Both [RFC2246] and [SSL3] require the use of server side digital certificates. In addition client side certificate based authentication is also permitted. ebXML Message Service handlers MUST support hierarchical and peer-to-peer trust models." Therefore, I think the CPP/A 1.1 spec needs to be fixed to support mutual authentication. In addition, lines 2823 to 2828 in the Message Service spec state: "Implementers MAY protect their ebXML Message Service Handlers from unauthorized access through the use of an access control mechanism. The HTTP access authentication process described in "HTTP Authentication: Basic and Digest Access Authentication" [RFC2617] defines the access control mechanisms allowed to protect an ebXM L Message Service Handler from unauthorized access. Implementers MAY support all of the access control schemes defined in [RFC2617] however they MUST support the Basic Authentication mechanism, as described in section 2, when Access Control is used." More changes to the CPP/A spec will be necessary to support Basic Authentication. However, I seriously doubt if basic authentication which sends user name and password in cleartext is suitable for conducting E business transactions. Perhaps we should lobby the MSG TC to remove the requirement to support basic authentication in the 1.1 spec. -Arvola
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC