RE: [ebxml-msg] Some suggestions regarding default security settings in ebMS 3.0

["Dale Moberg" <dmoberg@us.axway.com>]

Sacha Schlegel wrote:

In this discussion, signature and encryption were identified as two key
functions, and the order in which they occur. It was noted that ebMS 3.0
no longer specifies the default configuration as was defined in ebMS
2.0.

ebMS 2.0 has two defaults:
a) encrypt first, then sign. As a Note in section 4.1.4.5


Hi Sacha,

The TC found that the ebMS 2.0 default on protection ordering was
actually sign, then encrypt.

The current ebMS 3.0 draft appears to use this as the order default
across any conformance profile.

So the updates proposed for defaults in the Gateway conformance profile
will mainly deal with providing defaults on what an application will
sign and what it will encrypt (when the end users involved do not
otherwise agree on referenced parts, elements, or attachments).