RE: [egov] Missing Securty: Update Working Draft for Workflow Standards

["Chiusano Joseph" <chiusano_joseph@bah.com>]

> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren@telia.com] 
> Sent: Monday, October 04, 2004 2:18 PM
> To: Monica J. Martin; OASIS eGov list
> Subject: Re: [egov] Missing Securty: Update Working Draft for 
> Workflow Standards
> 
> Monica & List.
> I have some input regarding security standards which seems to 
> be lacking.
> 
> You could add WS-Security for example.  However, it is also 
> important to note that many pieces still are entirely absent 
> and are not even known targets for standardization.  The most 
> obvious deficit is the lack of a method for a user to sign a 
> document/transaction in a browser environment.  The only 
> thing I have heard of is XAML that MSFT is putting in 
> Longhorn that unfortunately requires that we all convert to 
> Longhorn.  

Anders, you may want to review the SAML Technical Overview document that
is available on the SAML home page, if you haven't done so already.
There are some use cases there that may satisfy your needs.

> All e-govs are currently investing in proprietary 
> signature solutions making inter-agency workflow a local 
> matter and definitely not cross-border.
> 
> For those who are interested in security it may be 
> interesting to know that the PKI pioneered by the US federal 
> agencies 

Could you perhaps be a bit more specific as to which initiative you are
referring to, as there are multiple inititiatives that may fit this
description?

> is largely incompatible with any kind of workflow 
> system server 

IMHO, the concepts of security and workflow should be orthagonal to one
another - that is to say that, as I view this, given the current
advanced state of digital security and the world of loose coupling,
there should not be such a roadblock in "marrying" security and
workflow, and there should not be such a strong "dependency" between the
two that such an incompatibility would exist. I would, however, be very
interested to here more details on why your experience shows that this
is the case.

> as a concept that is based on using encryption 
> certificates of employees will disable any intermediary 
> service like a purchasing system from reading outgoing 
> messages.  

I envision that use of SAML to present a PKI-based security token could
solve the problem here.

Kind Regards,
Joe Chiusano
Booz Allen Hamilton

> The governments in northern Europe have therefore 
> defined an entirely different PKI architecture that is 
> compatible with any kind of workflow process.
> 
> So maybe you should extend your paper with "missing standards"
> as well?
> 
> Anders Rundgren
> Consultant e-infrastructure
> 
> ----- Original Message -----
> From: "Monica J. Martin" <Monica.Martin@Sun.COM>
> To: "OASIS eGov list" <egov@lists.oasis-open.org>
> Sent: Monday, October 04, 2004 15:46
> Subject: [egov] 10/4/2004: Update Working Draft for Workflow Standards
> 
> 
> See attached updated workflow draft. It is important to note that:
> 
>     * Changes may be forthcoming in WfMC that may 
> complement/change this
>       evaluation, similar to those that occurred in BPMI.org.
>     * New emerging specifications may complement/replace WfMC 
> capabilities.
>     * More information is required to understand the relative 
> importance
>       of the human workflow, the process definition and the conditions
>       and constraints applied (and visible to the enabling processes).
>     * I've not updated any recommendations pending feedback from the
>       eGov team and user community.
> 
> I would encourage any feedback as I have not received any to 
> date other than from John Borras (and to complement the great 
> work by eEnvoy). See you in a few! I will upload to eGov site 
> as well. Thank you.
> 
> 
> 
> --------------------------------------------------------------
> ------------------
> 
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/egov/members/leav
e_workgroup.php.
> 
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/egov/members/leav
e_workgroup.php.
> 
>