Re: [pki-tc] B2B & Transaction PKI

[Stephen Wilson <swilson@lockstep.com.au>]

Arshad, 

I agree with your interpretation of "B2B" and your statement of the
preferred scope of the Transaction PKI work.  

Cheers, 

Stephen Wilson.



> Anders,
> 
> Perhaps it is my interpretation of B2B that is inconsistent with
> yours.  Let me define my interpretation so we can be assured we're
> talking about the same thing.
> 
> B2B in my interpretation, is: non-GUI software products, transacting
> programmatically with each other, without human interaction.
> 
> An inventory control module in SAP that automatically sends out a
> Purchase Order to a suppliers' Oracle server over some protocol;
> money transfers between banks and the Fed/Treasury; tax information
> from PeopleSoft Payroll to the IRS (in the US); etc.
> 
> An employee of a bank, ordering office supplies from the corporate
> stationery supplier, using the web interface supplied by the supplier
> is not a B2B transaction in my interpretaion.  A corporate travel
> agent making reservations on an airline for a traveling executive,
> using the airline's website is not a B2B transaction.  The corporate
> tax accountant filing quarterly tax returns at the IRS website using
> the web interface provided by the IRS is not a B2B transaction.  I
> veiw them as variants of B2C/G2C transactions, even though the two
> parties in the transactions are businesses.
> 
> So, when I said that we don't need to address B2B, I meant that this
> SC does not need to address the security requirements for non-GUI
> software modules communicating with others, as XML Signature and XML
> Encryption address those requirements, as does WSS (for XML type data
> structures).  Businesses have always had the ability to add message
> level security for "B2B" transactions using other forms of security
> in the past - S/MIME (as Dale pointed out yesterday); Secure RPC;
> PKCS#7 (using whatever transport you desired) - or just plain vanilla
> VPN's if message-level security was not critical.
> 
> So, to clarify, the Transaction PKI effort will specifically focus on
> Browser-to-Application security.  If this is inconsistent with the
> expectations of the TC and the Steering Commitee, I trust that members
> of this alias will correct me.
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> Anders Rundgren wrote:
> > Arshad,
> > Your response created a myriad of questions but since nobody has the 
> > time to read those I will focus on a single item.
> >  
> > You wrote:
> > /I don't believe we need to address B2B, since that is acheivable today 
> > either through XML Signature & XML Encryption directly (reference 
> > implementation available from Apache at 
> > //http://xml.apache.org/security///) or indirectly through OASIS-WSS - 
> > which uses XML Signature and XML Encryption.  A reference implementation 
> > of XWSS is also available from Sun at 
> > //http://java.sun.com/webservices/downloads/webservicespack.html//.  
> > Businesses just need to start using these API's now to secure their 
> > applications./
> > // 
> > This answer leaves me with two possible interpretations: *
> > **1*) The Transaction PKI project is /unrelated/ to B2B.  It is in this 
> > context worth noting that the majority of /current/ B2B transactions are 
> > indeed invoked by web-browser-based applications.  *
> > 2*) The Transaction PKI project aims to /remove/ (implied by 
> > the end-to-end encryption scheme) /SAP and similar business systems from 
> > the B2B process/.
> > 
> > /Note of these interpretations look particularly attractive in my opinion./
> > 
> > Since the Application Guidelines SC has not produced any documentation 
> > regarding how Transaction PKI is to be applied to B2B (or to anything 
> > else either for that matter), I will post a minimal specification ASAP, 
> > hopefully bringing up some interesting questions on the table.
> >  
> > Regards
> > Anders
> > /
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
> 

--
<Put email footer here>