OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ubl-ndrsc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ubl-ndrsc] Digital Signatures

On Tue, 3 Jun 2003, Paul Thorpe wrote:

>>I have no doubt the email (unencrypted) works fine quite often since there
>>is usually a human judging the authenticity (sometimes with a follow up
>>phone call), but when doing machine to machine transactions (especially
>>when large orders -- or financially significant orders), authentication
>>becomes much more important.  

I share your concerns about M2M communications.  For financially
significant orders, not any one within a company will be empowered
to operate on them even for humans, much less for machines as you
pointed.  Only secured machines with good trustable security
infrastructure may perhaps be empowered to handle those.  
But to be trustable to a business manager, authentication alone
does not cover the entire requirements of secured transaction.
A list of things some of which I mentioned earlier needs to be
in place.

>>Note, that the proposal is to make the
>>signature field optional so that authentication is not required by UBL,
>>but can be used if desired.  Some business may choose not to accept
>>documents that are not authenticated.

Noted.  Even as an option, such option needs to be described
in details for occassions when they do get used by users.
There would then be a need for UBL to survey, assess and identify
a particular mechanism, perhaps what you and others have suggested,
to perform authentication.  But authentication may not be sufficient
for other businesses, so other aspects of secured transaction
needs to be looked at, and so on.  That might take us rather
far off from UBL, and I suspect it may need another subcomm to 
look into that, if it is to be pursued.

>>Just look at various machine-based attempts to eliminate spam vs. human
>>recognition of what is or isn't spam.  If UBL documents are exchanged on
>>an open network, someone is going attempt to forge UBL documents.

This reminds me of something I read from IETF's end-to-end principle.
At one point in the development of TCP/IP, it was asked "why would
anyone trust an open network?  someone is going to forge packets,
so we should build in encryption at packet level."  Eventually,
the idea was dropped, and fortunately for us, in the majority of
network transport context that security isn't needed, the overheads
of maintaining security consistency is not imposed onto those users.
In partciular cases, the end-points will decide what level of
security is applicable to themselves, and have them implemented
above the network and transport layers.

We should learn from those lessons.

Best Regards,
Chin Chee-Kai
Tel: +65-6820-2979
Fax: +65-6743-7875
Email: cheekai@SoftML.Net

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]