OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-msg message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Updated: (EBXMLMSG-37) AS4 5.2 Usage Agreement for X.509 token profile use

     [ http://tools.oasis-open.org/issues/browse/EBXMLMSG-37?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Pim van der Eijk updated EBXMLMSG-37:

Some explanation from Ian Otto:

TLS Certificates and Certificates used for WS-Security essentially have different requirements in ebMS3 and in web services in general.

TLS Certificates are associated with a site. TLS certificates must be issued by one of the globally recognised certificate issuers as are routinely accepted by the mainstream browsers unless all the participating sites are in some sort of closed community in which case, the TLS certificates may be issued by an authority within the community. Algorithms and key strengths for TLS certificates are generated within internationally established guidelines.

The validity of a TLS Certificate is based its traceability to a globally established trust anchor and its absence from Certificate Revocation Lists (lists of certificates which are known to be invalid).

For WS-Security where we are talking about securing a connection between two trading partners, the problem is different. The certificates are used on a message by message basis and not for the whole site.

The key point becomes the key strength and algorithm of the public/private key pair. The source of the certificate is less relevant. Provided a self-signed certificate is generated with the appropriate rigour, it is just as good as one issued from a commercial certificate vendor in a point-trust scenario. (This is, a scenario in which the trading partners directly exchange certificates with one another and agree to notify each other of any security issue with the exchanged certificates. There are no revocation lists or hierarchies of trust to navigate.)

> AS4 5.2 Usage Agreement for X.509 token profile use
> ---------------------------------------------------
>                 Key: EBXMLMSG-37
>                 URL: http://tools.oasis-open.org/issues/browse/EBXMLMSG-37
>             Project: OASIS ebXML Messaging Services TC
>          Issue Type: Improvement
>          Components: AS4 Profile
>            Reporter: Pim van der Eijk
>            Priority: Minor
> Section 5. defines some operational aspects of AS4 that have to be agreed on in communities.  This section obviously does not have to (and cannot) be complete,  but it is not clear why section 5.2.6 (b) asks which encryption algorithms and minimum key lengths are required, (c) which Certificate Authorities are acceptable for server authentication etc.  these same questions could be asked for SOAP message security,  parameters defined in 

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]