OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: SSL Mutual Authentication and the Message Service Spec

Arvola,

Whether or not BasicAuth is used as an aspect of
the security for a web service/b2b agreement, storing the
user and password information in a CPA would be 
a mistake. 

This sort of information should be recorded and stored
external to the CPA document itself.

Cheers,

Chris




Arvola Chan wrote:
> 
> Dan:
> 
> Thanks for pointing out the relevant use case. I was just trying to
> find out if there is a need to augment the CPA with user and
> password information to allow basic authentication to be performed.
> 
> Do you think the 1.1 MSG and CPP/A specs need to be aligned
> with respect to the issue of basic authentication?
> 
> Regards,
> -Arvola
> 
> -----Original Message-----
> From: Dan Weinreb <dlw@exceloncorp.com>
> To: arvola@tibco.com <arvola@tibco.com>
> Cc: ebxml-cppa@lists.oasis-open.org <ebxml-cppa@lists.oasis-open.org>;
> ebxml-msg@lists.oasis-open.org <ebxml-msg@lists.oasis-open.org>
> Date: Monday, August 27, 2001 8:36 PM
> Subject: Re: SSL Mutual Authentication and the Message Service Spec
> 
> >   Date: Thu, 23 Aug 2001 09:41:08 -0700
> >   From: Arvola Chan <arvola@tibco.com>
> >
> >   More changes to the CPP/A spec will be necessary to support Basic
> >   Authentication. However, I seriously doubt if basic authentication which
> >   sends user name and password in cleartext is suitable for conducting E
> >   business transactions. Perhaps we should lobby the MSG TC to remove the
> >   requirement to support basic authentication in the 1.1 spec.
> >
> >I agree that sending passwords in cleartext is right out, but perhaps
> >what's being contemplated here is using Basic Authentication over an
> >HTTPS (SSL/TLS) connection to do client authentication in cases where
> >the client doesn't have a private key and associated digital
> >certificate.  That scenario arises a lot in "B2C"; I don't know how
> >likely it is to come up in ebXML interactions.
> >
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC