[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: SSL Mutual Authentication and the Message Service Spec
Arvola, Whether or not BasicAuth is used as an aspect of the security for a web service/b2b agreement, storing the user and password information in a CPA would be a mistake. This sort of information should be recorded and stored external to the CPA document itself. Cheers, Chris Arvola Chan wrote: > > Dan: > > Thanks for pointing out the relevant use case. I was just trying to > find out if there is a need to augment the CPA with user and > password information to allow basic authentication to be performed. > > Do you think the 1.1 MSG and CPP/A specs need to be aligned > with respect to the issue of basic authentication? > > Regards, > -Arvola > > -----Original Message----- > From: Dan Weinreb <dlw@exceloncorp.com> > To: arvola@tibco.com <arvola@tibco.com> > Cc: ebxml-cppa@lists.oasis-open.org <ebxml-cppa@lists.oasis-open.org>; > ebxml-msg@lists.oasis-open.org <ebxml-msg@lists.oasis-open.org> > Date: Monday, August 27, 2001 8:36 PM > Subject: Re: SSL Mutual Authentication and the Message Service Spec > > > Date: Thu, 23 Aug 2001 09:41:08 -0700 > > From: Arvola Chan <arvola@tibco.com> > > > > More changes to the CPP/A spec will be necessary to support Basic > > Authentication. However, I seriously doubt if basic authentication which > > sends user name and password in cleartext is suitable for conducting E > > business transactions. Perhaps we should lobby the MSG TC to remove the > > requirement to support basic authentication in the 1.1 spec. > > > >I agree that sending passwords in cleartext is right out, but perhaps > >what's being contemplated here is using Basic Authentication over an > >HTTPS (SSL/TLS) connection to do client authentication in cases where > >the client doesn't have a private key and associated digital > >certificate. That scenario arises a lot in "B2C"; I don't know how > >likely it is to come up in ebXML interactions. > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC