OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

egov message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [egov] Missing Securty: Update Working Draft for Workflow Standards


> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren@telia.com] 
> Sent: Tuesday, October 05, 2004 11:22 AM
> To: Chiusano Joseph
> Cc: OASIS eGov list
> Subject: Re: [egov] Missing Securty: Update Working Draft for 
> Workflow Standards
> 
> Joe,
> 
> >Thanks for the additional information. I'm looking at p.2 of your 
> >document now, and I believe that this can/should be handled through 
> >some type of contract between the two organizations, with a certain 
> >level of mutual trust specified. I see this as more of an 
> operational issue.
> 
> I remain puzzled.  Do you mean that:
> 1. Purchasing systems do not need to be able to read purchase 
> orders (Q2)?

Of course not. :)

> 2. Contracts can eliminate the laws of encryption?
> Hopefully not.

Of course not.
 
> >Please let me know if there are more specifics either within our 
> >outside your document that may factor in, that I have not 
> taken into account.
> 
> You did not apply the described scheme that is the foundation 
> of the Federal PKI saying that message security is a 
> client-level-issue using employee encryption certificates 
> published in directories.  If you don't use this, most of the 
> foundation and motivation is gone.

[Please note that the response that follows is not a statement regarding
any federal PKI initiative, and is strictly limited to the contents of
the document we are discussing] 
If you believe that this is critical to the issue you are raising in
your document, I would recommend that you describe the above concept
further within the document itself. According to my interpretation of
your document, the strongest message I get from your document is that
"publishing employee certificates in directories is not as
straightforward as it seems", and "one must take into account various
questions (which are listed on p.2)". With only that context (and not
going beyond it in any way to make any type of statement regarding areas
such as #1 and #2 in your response above), I still believe that the
central idea here is inter-organization contracts and trust. I would
recommend you consider taking that position and building your argument
from there. Again, I'd like to respectfully emphasize that I'm not
making any statements beyond the scope of what I've described here.
 
Kind Regards,
Joe Chiusano
Booz Allen Hamilton
Strategy and Technology Consultants to the World

> >We can also keep in mind that end-to-end security is much more than 
> >PKI, and in fact may not even involve PKI at all (as 
> described in the 
> >WSS specifications). I know this is something you definitely 
> know - I'm 
> >just choosing to point it out for purposes of the thread.
> 
> That is correct, but then we are again not talking about the 
> Federal PKI architecture which is the e-gov "gold standard" to date.
> 
> Anders R
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]