ebxml-msg message

Subject: RE: [ebxml-msg] Message authorization in conf profiles

From: "John Voss (jovoss)" <jovoss@cisco.com>
To: "Durand, Jacques R." <JDurand@us.fujitsu.com>, <ebxml-msg@lists.oasis-open.org>
Date: Tue, 28 Oct 2008 18:14:14 -0700

Hi Jacques,

I think it's better to be more specific and go with the sentence at the end that indicates Authorization for the pull signal must be supported.

It would be a huge security risk to allow non-authenticated pull signals, so this should be mandatory.

As we discussed, X.509 cert authentication should also be available as an option to username/password authentication.

Best Regards,

John

From: Durand, Jacques R. [mailto:JDurand@us.fujitsu.com]
Sent: Tuesday, October 28, 2008 5:59 PM
To: ebxml-msg@lists.oasis-open.org
Subject: [ebxml-msg] Message authorization in conf profiles

Should we be more explicit about the level of support expected for message authorization, as discussed in AS4 SC:

The Gateway conf profiles say:

Support for message authorization at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile, in particular authorization of the Pull signal for a particular MPC.

Should we say instead:

Support for message authorization at P-Mode level (see 7.10 in [ebMS3]) using wsse:UsernameToken profile. Authorization of the Pull signal - for a particular MPC - must be supported at minimum.

Jacques

Follow-Ups:
- RE: [ebxml-msg] Message authorization in conf profiles
  - From: "Durand, Jacques R." <JDurand@us.fujitsu.com>

References:
- Message authorization in conf profiles
  - From: "Durand, Jacques R." <JDurand@us.fujitsu.com>