RE: [regrep] Vote on version 2.03 - ACTION ITEM

[Dale Moberg <dmoberg@cyclonecommerce.com>]

During the first ebXML initiative, lighter-weight authentication (user/password, basic auth ) over SSL was proposed, even

for publishing data to the reg/rep, and for the same reasons Joel suggests here (barriers to entry).

 

However, I think that digital signature, while perhaps not needed for authorization/access purposes, is still something

that provides evidence that the published information is at least definitely from the subject identified

by the distinguished name (according to the certificate issuer). That "trust" credential in the signature allows

people using the published info one check. Possibly some documents need no signature (schemas?); others

like CPPs or CPA templates would benefit from a signature. If you are going to make digital signature optional

(on the publish message and over the published object), then I think you need to preserve a

decent "trust story" for the information items in a repository,

or, failing that, there is an explicit "use at own risk" flag over object

whose trust claims lack credentials/evidence. CPP and CPA template signatures themselves, by the way,

are not mandatory.

 

Dale Moberg

 

 

-----Original Message-----
From: Munter, Joel D [mailto:joel.d.munter@intel.com]
Sent: Thursday, June 13, 2002 8:05 AM
To: 'Damodaran, Suresh'; 'Oasis Registry TC'
Subject: RE: [regrep] Vote on version 2.03 - ACTION ITEM

My primary argument is, "financial and technological barriers to entry."  Certificate acquisition and management are not free and not trivial.  From a practical point, I may choose to make some things that I publish, purely public and dsig just simply is not required.  I want to be able to choose what I sign.  imho Signing entries should be optional.  It has been suggested (by others) that the first two might be reconsidered in the V3 timeframe.

Joel 

 

-----Original Message-----
From: Damodaran, Suresh [mailto:Suresh_Damodaran@stercomm.com]
Sent: Thursday, June 13, 2002 7:57 AM
To: 'Munter, Joel D'; 'Oasis Registry TC'
Cc: Mikula, Norbert H
Subject: RE: [regrep] Vote on version 2.03 - ACTION ITEM

Joel,

 

Responses to your security related, "non-typo" type of comments below.

 

 

Regards,

-Suresh
Sterling Commerce  

-----Original Message-----
From: Munter, Joel D [mailto:joel.d.munter@intel.com]
Sent: Wednesday, June 12, 2002 5:45 PM
To: 'Oasis Registry TC'

 

<snip>

 

line 3696:3697: I still believe that this specification should NOT mandate digital signature for all content per the statement "The Registry Client has to sign the contents before submission - otherwise the content will be rejected."

 

line 3733:3734: I have the same objection to mandating digital signatures on payloads per the text "This packaging assumes that the payload is always signed."
[Damodaran, Suresh] What is your rationale behind your objection?

 

line 3876:3877: Should the second occurrence of public key in the following sentence, "To validate a signature, the recipient of the signature needs the public key corresponding to the signer's public key.," actually be private key?  If not then something else seems very awkward about this sentence.
[Damodaran, Suresh] You are right. It should be "private key." 

 

<snip>