Re: [soa-rm-ra] Non Repudiation & Confidentiality in Figure 52

[Rex Brooks <rexb@starbourne.com>]

Thanks Danny,

I appreciate your position, and I'm not about to delay progress further 
just because I respectfully disagree. I will accept the decision in 
favor of action if that's the consensus.

Cheers,
Rex

Thornton, Danny R (IS) wrote:
> Here are the descriptions from the RA for Confidentiality and
> Non-repudiation:
>
> Confidentiality
>
> Confidentiality concerns the protection of privacy of participants in
> their interactions.
> Confidentiality refers to the assurance that unauthorized entities are
> not able to read messages or
> parts of messages that are transmitted.
> Note that confidentiality has degrees: in a completely confidential
> exchange, third parties would
> not even be aware that a confidential exchange has occurred. In a
> partially confidential exchange,
> the identities of the participants may be known but the content of the
> exchange obscured.
>
> Non-repudiation
>
> Non-repudiation concerns the accountability of participants. To foster
> trust in the performance of
> a system used to conduct shared activities it is important that the
> participants are not able to later
> deny their actions: to repudiate them. Non-repudiation refers to the
> means by which a participant
> may not, at a later time, successfully deny having participated in the
> interaction or having
> performed the actions as reported by other participants.
>
>
> Granted, if non-repudation is being called into question it will be
> because some party disputes another party's actions.  I would not use "a
> Party" in the security section though since the section defines
> principles for the underlying SOA mechanisms that provide secure
> interactions and the defintions and descriptions are currently related
> to Section 3 Figure 4, "Actors, Participants, and Delegates".  The
> underlying SOA mechanisms are providing confidentiality and
> non-repudation for actions which is why I think that is a more
> appropriate association for the RA.
>
> Danny
>
> -----Original Message-----
> From: Rex Brooks [mailto:rexb@starbourne.com] 
> Sent: Friday, July 31, 2009 7:05 AM
> To: soa-rm-ra@lists.oasis-open.org RA
> Subject: [soa-rm-ra] Non Repudiation & Confidentiality in Figure 52
>
> Hi Folks,
>
> I dug a little deeper into the Issues of Non Repudiation and
> Confidentiality in Figure 52 Secure Interaction, and I still come down
> on the side of the original version of the diagram where these classes
> are connected between Stakeholder and Participant more than between
> Stakeholder or Participant and Action. My reason is that the definitions
> pertain to parties first and foremost and only to action if that action
> is sending a message. My contention is that the key relationship is
> between parties more than between any party and the action.
>
> I offer the following definitions to support this position. The bold and
> capped words are my additions for emphasis and in Confidentiality the
> term 'PARTIES' in square brackets is added as the antecedent to which
> the word 'those' refers.I don't offer these definitions as the ultimate
> authoritative definitions, simply as appropriate and representative. My
> conclusion follows.
> ------------------------------------------------------------------------
>
> Non Repudiation:
>
> Non-repudiation is the concept of ensuring that *A PARTY* in a dispute
> cannot repudiate, or refute the validity of a *STATEMENT OR CONTRACT*. 
> Although this concept can be applied to any* TRANSMISSION*, including
> television and radio, by far the most common application is in the
> verification and trust of signatures.
>
> Regarding digital security, the cryptological meaning and application of
> non-repudiation shifts to mean:[1]
>
> A service that provides proof of the integrity and origin of data.
> An authentication that with high assurance can be asserted to be
> genuine.
>
> Source: Wikipedia: http://en.wikipedia.org/wiki/Non-repudiation
>
> Nonrepudiation:
>
> nonrepudiation: In reference to digital security, nonrepudiation means
> to ensure that a* TRANSFERRED MESSAGE* has been sent and received by the
> *PARTIES* claiming to have sent and received the message. Nonrepudiation
> is a way to guarantee that the sender of a message cannot later deny
> having sent the message and that the recipient cannot deny having
> received the message.
> nonrepudiation can be obtained through the use of:
>
> digital signatures -- function as a unique identifier for an
> *INDIVIDUAL*, much like a written signature.
> confirmation services -- the *MESSAGE* transfer agent can create digital
> receipts to indicated that messages were sent and/or received.
> timestamps -- timestamps contain the date and time a document was
> composed and proves that a document existed at a certain time.
>                    
> Source: Webopedia: http://www.webopedia.com/TERM/N/nonrepudiation.html
>
> Confidentiality
>
> Confidentiality has been defined by the International Organization for
> Standardization (ISO) in ISO-17799 as "ensuring that information is
> accessible only to those [(sic)*PARTIES*] authorized to have access" and
> is one of the cornerstones of information security.
> ------------------------------------------------------------------------
>
> My conclusion is that Non Repudiation and Confidentiality must be
> applied between the Stakeholder with Authority to make Policy and the
> Participant who will perform the Action in order for the Action to be
> possible for Secure Interaction.
>
> Cheers,
> Rex.
>
> --
> Rex Brooks
> President, CEO
> Starbourne Communications Design
> GeoAddress: 1361-A Addison
> Berkeley, CA 94702
> Tel: 510-898-0670
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>
>
>
>   


-- 
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-898-0670