RE: [soa-rm-ra] Non Repudiation & Confidentiality in Figure 52

["Thornton, Danny R (IS)" <Danny.Thornton@ngc.com>]

Here are the descriptions from the RA for Confidentiality and
Non-repudiation:

Confidentiality

Confidentiality concerns the protection of privacy of participants in
their interactions.
Confidentiality refers to the assurance that unauthorized entities are
not able to read messages or
parts of messages that are transmitted.
Note that confidentiality has degrees: in a completely confidential
exchange, third parties would
not even be aware that a confidential exchange has occurred. In a
partially confidential exchange,
the identities of the participants may be known but the content of the
exchange obscured.

Non-repudiation

Non-repudiation concerns the accountability of participants. To foster
trust in the performance of
a system used to conduct shared activities it is important that the
participants are not able to later
deny their actions: to repudiate them. Non-repudiation refers to the
means by which a participant
may not, at a later time, successfully deny having participated in the
interaction or having
performed the actions as reported by other participants.


Granted, if non-repudation is being called into question it will be
because some party disputes another party's actions.  I would not use "a
Party" in the security section though since the section defines
principles for the underlying SOA mechanisms that provide secure
interactions and the defintions and descriptions are currently related
to Section 3 Figure 4, "Actors, Participants, and Delegates".  The
underlying SOA mechanisms are providing confidentiality and
non-repudation for actions which is why I think that is a more
appropriate association for the RA.

Danny

-----Original Message-----
From: Rex Brooks [mailto:rexb@starbourne.com] 
Sent: Friday, July 31, 2009 7:05 AM
To: soa-rm-ra@lists.oasis-open.org RA
Subject: [soa-rm-ra] Non Repudiation & Confidentiality in Figure 52

Hi Folks,

I dug a little deeper into the Issues of Non Repudiation and
Confidentiality in Figure 52 Secure Interaction, and I still come down
on the side of the original version of the diagram where these classes
are connected between Stakeholder and Participant more than between
Stakeholder or Participant and Action. My reason is that the definitions
pertain to parties first and foremost and only to action if that action
is sending a message. My contention is that the key relationship is
between parties more than between any party and the action.

I offer the following definitions to support this position. The bold and
capped words are my additions for emphasis and in Confidentiality the
term 'PARTIES' in square brackets is added as the antecedent to which
the word 'those' refers.I don't offer these definitions as the ultimate
authoritative definitions, simply as appropriate and representative. My
conclusion follows.
------------------------------------------------------------------------

Non Repudiation:

Non-repudiation is the concept of ensuring that *A PARTY* in a dispute
cannot repudiate, or refute the validity of a *STATEMENT OR CONTRACT*. 
Although this concept can be applied to any* TRANSMISSION*, including
television and radio, by far the most common application is in the
verification and trust of signatures.

Regarding digital security, the cryptological meaning and application of
non-repudiation shifts to mean:[1]

A service that provides proof of the integrity and origin of data.
An authentication that with high assurance can be asserted to be
genuine.

Source: Wikipedia: http://en.wikipedia.org/wiki/Non-repudiation

Nonrepudiation:

nonrepudiation: In reference to digital security, nonrepudiation means
to ensure that a* TRANSFERRED MESSAGE* has been sent and received by the
*PARTIES* claiming to have sent and received the message. Nonrepudiation
is a way to guarantee that the sender of a message cannot later deny
having sent the message and that the recipient cannot deny having
received the message.
nonrepudiation can be obtained through the use of:

digital signatures -- function as a unique identifier for an
*INDIVIDUAL*, much like a written signature.
confirmation services -- the *MESSAGE* transfer agent can create digital
receipts to indicated that messages were sent and/or received.
timestamps -- timestamps contain the date and time a document was
composed and proves that a document existed at a certain time.
                   
Source: Webopedia: http://www.webopedia.com/TERM/N/nonrepudiation.html

Confidentiality

Confidentiality has been defined by the International Organization for
Standardization (ISO) in ISO-17799 as "ensuring that information is
accessible only to those [(sic)*PARTIES*] authorized to have access" and
is one of the cornerstones of information security.
------------------------------------------------------------------------

My conclusion is that Non Repudiation and Confidentiality must be
applied between the Stakeholder with Authority to make Policy and the
Participant who will perform the Action in order for the Action to be
possible for Secure Interaction.

Cheers,
Rex.

--
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-898-0670


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php