OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Challenge-Response/OBI & S2ML (Anders Rundgren's suggestion)


I have reviewed all of your e-mails expressing concerns
about not including Challenge-Response.

Overall, I agree with Phil's previous response:

> Anders,
> We have no plans to permit the S2ML group to expand
> its scope to include authentication. This was taken out
> of scope because it is addressed in XKMS which is in
> the process of being submitted to W3C.
> The S2ML/Auth-XML group is not the place to raise 
> security issues of that type. It will have enough
> difficulty comming to agreement on the issues that are
> currently in scope without competing with other working
> groups.

S2ML is not about building auth services, it is about
enabling authentication/authorization services to
exchange security information w/other security-enabled internet apps.

However, w.r.t. your previous comments:

> OBI will never take-off using S2ML in the version I
> have read (0.7a).  And OBI is really interesting as it
> is a down-to-earth B2B-solution that gives you
> a peer-to-peer solution ["Napster for B2B":-)]. 
> Partner client certificates unfortunately
> kills the whole idea.  

I think it will be useful to review your discussion about C-R A problem,
particularly your OBI B2B transaction
example. Perhaps if you prepare a write-up we can discuss
it as part of the binding sub-group, Prateek? 

Requiring/assuming that there is some pre-established
trust is pretty reasonable, IMO. Trusted networks are
configurable and operationally desirable.

However, I want to know more of what you think are limitations w.r.t.
applying S2ML to OBI transactions.


-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Thursday, January 11, 2001 12:39 AM
To: Ahmed, Zahid; security-services@lists.oasis-open.org
Subject: Re: Subcommittee Questions

> I'm concerned about getting the Use Case & Reqmnts scoped-out/agreed
> soon so that we remain focused and make progress towards getting to
> V 1.0 soon.

You have an at least 3-months (?) lead on this part compared to all
and the work of the TC.

For instance chall-resp authentication, is that already out before we
actually start?
According to the *draft* it is out but the draft has not been voted upon in
the TC.
I find that a bit strange, particularly when I note the huge benefits you
gain at a
rather marginal cost [protocol overhead, complexity].

But of course such a change would screw up the schedule quite a bit.

On the other hand, isn't that the risk you do by taking an item to
standardization that
other members (sometimes even the majority), may not agree with goals of the
orginal developer(s)?

I would be very happy to see this one *formally* resolved *now* by the *TC*,
as it will have
such a major impact on the rest of this work.  If you want, I can prepare a
document showing
what you gain/lose by going to C-R A.  Or can such a decision really wait
until the first f2f?
Or is it already settled?

Anders Rundgren

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC