[ebxml-msg] ebXML Security

["Miller, Robert (GXS)" <Robert.Miller@gxs.ge.com>]

Title: Reliable / Duplicate / Message Order Inconsistencies

As followup to my concerns about the Security section of the ebXML MSG, I offer the following observations.

 

1) The Namespace defining the Security structures in the ebXML specification is a namespace foreign to the ebXML namespace.

 

2) A conforming SOAP processor will direct processing of the security structures to the handler for that namespace, which might not be same handler as the ebXML namespace handler.  In fact, the ebXML processor might not even be aware of the presence and execution of a security handler.

 

3) End users must be free to purchase security add-on SOAP modules independent of ebXML module

 

4) None of the text in section 4.1 that relates to the definition of specific elements defined by the "ds" namespace can be normative, as the normative definition of these elements is in fact provided in a document prepared by another organization (W3).

 

--------------

 

In my opinion,

 

o - that portion of section 4.1 that addresses specific constructs defined in the"ds" namespace must be relocated to a non-normative Appendix. 

 

o - the ebXML MSG specification may (and probably should) provide guidance on the use of non-ebXML SOAP extensions (such as security).

 

o - ebXML conformance can only address conformance of ebXML specific modules. In particular, it cannot address conformance with respect to those consturcts fgoverned by a 'foreign' namespace.

 

o -  a locator reference to the W3 specification(s) for security should be provided.

 

Cheers,

            Bob Miller