W3C home > Mailing lists > Public > xml-dist-app@w3.org > July 2000

RE: SOAP header for authentication etc

From: Krishna Sankar <ksankar@cisco.com>
Date: Wed, 5 Jul 2000 19:57:13 -0700
To: "Mishra, Prateek" <pmishra@netegrity.com>, <xml-dist-app@w3.org>
Cc: "Chippada, Radhika" <rchippada@netegrity.com>
Message-ID: <NABBJDOPDKGCDCNBNEDOIEJACGAA.ksankar@cisco.com>
Hi,

	Thanks for the detailed message, of course, Netegrity is famous for your
security implementations.

	As you have mentioned, it is useful to learn from and work with existing
standards, especially in case of Rosettanet. IMHO, BizTalk has a lot of
synergy with RosettaNet - more synergy than commonality, which is good.

	1.	As you had mentioned, certificates and SSL (client+server
authentication) transport gives RosettaNet wire level security.
	2.	And we can use the identity from the certificate for authC and authZ.
	3.	I am not happy with the current repudiation method,  as it is the
responsibility of the sender/receiver to store the messages plus some
non-repudiable timestamp - which requires some good time service.(The
sender/receiver also need to store the CRLs). I would rather see this
happening at the infrastructure/framework level like from a BizTalk
implementation (plus some third party time servers providing the
non-repudiable time service)
	4.	Rosettanet does have digital signature for integrity which we could
model after for BizTalk. They use the detached signature approach.
	5.	Rosettanet does not have encryption which I think it plans to rectify in
ver 2.0.
	6.	I do not know what other security aspects are forthcoming in the
RosettaNet 2.0 version.

	cheers


-----Original Message-----
From: Mishra, Prateek [mailto:pmishra@netegrity.com]
Sent: Wednesday, July 05, 2000 11:25 AM
To: 'Krishna Sankar'; 'xml-dist-app@w3.org'
Cc: Chippada, Radhika
Subject: RE: SOAP header for authentication etc


Hi Krishna,

You mentioned RosettaNet which is a good example
of an existing B2B framework. It might be useful
to analyze the existing security framework in RosettaNet
in regards to security (Authentication, Authorization).

My understanding is that RosettaNet primarily uses
transport-level security secured by HTTPS + Client certificates
for Authentication. The subject common name is used
to figure out the identity of the individual or service
pushing the document (transport identity).

Authorization is derived from transport
identity and Activity Name. Roughly speaking, this translates
to: Is this identity authorized to carry out this activity?

PIPs also specify Non-repudiation of receipt and Origin
and Content. In RosettaNet, this simply means that the
sender or receiver agree to store the receipt or original
document for an agreed upon period of time in its original form.

Additional security is available thru Business Data Entity
Security. This basically means that individual data items can
be encrypted, included in a message digest and digitally signed.

Is that a complete list of security features within RosettaNet?
How far do we need to go beyond this list in XML Message Exchange
frameworks?

- prateek mishra

Netegrity, Inc.
Waltham, MA


> -----Original Message-----
> From: Krishna Sankar [mailto:ksankar@cisco.com]
> Sent: Tuesday, July 04, 2000 2:27 PM
> To: xml-dist-app@w3.org
> Subject: Re: SOAP header for authentication etc
>
>
> Hi,
>
> 	Saw your posting. Yes, we need support for security.
> Building in security
> related stuff in the SOAP specification will add
> interoperability. This is
> more important now, because BizTalk is based on SOAP.
>
> 	As you know BizTalk is agnostic to Temporal and spatial
> requirements plus
> it is distributed across organizations. So we need security
> mechanisms as we
> do not know where the documents will travel thru and reside,
> ques, mail
> slots, ftp sites et al. I really wouldn't trust an open PO
> thru the BizTalk
> framework as it stand now (agreed it is only a draft)
>
> 	I would like to see the following security related
> features(and an ready to
> offer help. We should be able to sit together and figure out common
> requirements)
>
> 	1.	Authentication (not only between servers and
> clients but between
> applications)
> 	2.	I am also a fan of Role Based Authorizations
> and would like to see if we
> can extend that concept.
> 	3.	Support for confidentiality, Integrity and
> repudiation - Signatures,
> certificates, time services et al
>
>
> 	FYI, I come from the B2B world (RosettaNet et al) and
> so wouldn't mind
> seeing these at BizTalk level. What do you think ? What we do
> not want is
> two signatures and two encryptions - one at BizTalk level and
> another at
> SOAP level.
>
> 	cheers
>
Received on Wednesday, 5 July 2000 23:01:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:58:56 GMT