- From: Frank DeRose <frankd@tibco.com>
- Date: Wed, 6 Dec 2000 15:21:08 -0800
- To: <xml-dist-app@w3.org>
In today's conf call, Oisin proposed appending the following text to R608: "The Working Group will endeavour to address the issue of electronically signing XP envelope entities with reference to the XML Signature specification." I believe Oisin made this proposal as a result of an email I sent him (privately, because I thought the issue of digital signatures must have been thrashed out at the first f2f). I've included my original message and Oisin's response below. Since Alex Ceponkus just sent another email [1] inquiring about digital signatures, it seems we need to discuss this issue more fully. Personally, I think Oisin's proposed wording may be too restrictive since it could be construed as tying us exclusively to XML Signature. As I said in my email to Oisin, I would be happy with the following wording somewhere in the requirements doc (appended to R608?): "The XP specification should not preclude the use of popular digital signing mechanisms." Can we get more input from the security experts? BTW, Alex, great "useful links." Frank DeRose TIBCO Software Inc. 3165 Porter Dr Palo Alto, CA 94303 650-846-5570 (vox) 650-846-1267 (fax) frankd@tibco.com www.tibco.com [1] http://lists.w3.org/Archives/Public/xml-dist-app/2000Dec/0065.html [2] http://lists.w3.org/Archives/Public/xml-dist-app/2000Nov/0271.html [3] http://lists.w3.org/Archives/Public/xml-dist-app/2000Nov/0207.html [4] http://lists.w3.org/Archives/Public/xml-dist-app/2000Oct/0118.html [5] http://lists.w3.org/Archives/Public/xml-dist-app/2000Oct/0090.html -----Original Message----- From: Frank DeRose [mailto:frankd@tibco.com] Sent: Thursday, November 30, 2000 9:29 PM To: Oisin Hurley Subject: RE: [608] Discussion Oisin, Regarding DR608, my poor understanding of security tells me there are two aspects to it: 1.) Security like HTTPS implemented through SSL. Clearly, the XP specification should not preclude the use of XP messaging over HTTPS. 2.) Security as implemented through the signing of documents and verification of signatures. This kind of security is mentioned in several emails ([2], [3], [4] [5]). DR608 seems to address only the first kind of security, while DR046 (which has been ruled out of scope) mixes up both kinds of security. It seems we need two DR's that separate the two kinds of security. For example: DRx The XP specification should not preclude the use of XP messaging over popular security mechanisms such as SSL and S/MIME. DRy The XP specification should not preclude the use of popular digital signing mechanisms. Also, according to R503, "The Working Group will coordinate with W3C XML Activities through the XML Coordination Group and shall use available XML technologies whenever possible." Would this suggest that the XP WG ought to be making use of technology developed by the XML-Signature WG? If that's the case, we could modify DRy as follows: DRy For digital signatures, the XP specification will incorporate the technology currently being developed by the XML-Signature WG. Also, where does the XP WG stand with respect to the new XKMS proposal coming out of MSFT, WEBM, RSAS, and VRSN, which seems to take XML-Signature as a given? Like I said, I am not a security whiz (by any means!!), but I guess I find it hard to believe that we would create an XML Protocol that doesn't address digital signatures in one way or another. My guess is that the issue of digital signatures was probably thrashed around a good bit offline somewhere, perhaps in the first f2f, at which I wasn't present. I'm a latecomer to the WG, so I didn't want to burden the main discussion stream if these issues have already been covered. But, I did want to get an answer to my questions. I know that the value of an XML Protocol to TIBCO is going to be reduced substantially if digital signatures aren't addressed. Frank DeRose TIBCO Software Inc. 3165 Porter Dr Palo Alto, CA 94303 650-846-5570 (vox) 650-846-1267 (fax) frankd@tibco.com www.tibco.com -----Original Message----- From: Oisin Hurley [mailto:ohurley@iona.com] Sent: Tuesday, December 05, 2000 1:39 AM To: Frank DeRose Cc: Oisín Hurley Subject: RE: [608] Discussion Hi Frank, Please excuse the lateness of my reply as I am currently on the road in Europe and am short of time to do real work! > 1.) Security like HTTPS implemented through SSL. Clearly, the XP > specification should not preclude the use of XP messaging over HTTPS. > > 2.) Security as implemented through the signing of documents and > verification of signatures. This kind of security is mentioned in emails > 0271, 0207, 0118, 0090. Yes - this is a reasonable assessment. You could say that one is about transport security and the other about security management mechanisms. > DR608 seems to address only the first kind of security, while DR046 (which > has been ruled out of scope) mixes up both kinds of security. It seems we > need two DR's that separate the two kinds of security. For example: > > DRx The XP specification should not preclude the use of XP messaging over > popular security mechanisms such as SSL and S/MIME. > > DRy The XP specification should not preclude the use of popular digital > signing mechanisms. The latter point, leveraging existing security mechanisms is addressed (albeit in a general manner) in the general requirement for extensibility in DR700, I think, so we can concern ourselves only with point 1) above. > Also, where does the XP WG stand with respect to the new XKMS proposal > coming out of MSFT, WEBM, RSAS, and VRSN, which seems to take > XML-Signature > as a given? Like I said, I am not a security whiz (by any means!!), but I > guess I find it hard to believe that we would create an XML Protocol that > doesn't address digital signatures in one way or another. It should be mentioned that the whole point of getting this XML protocol going was not to bring all this stuff together in the XP specification, but instead to present an extensible envelope into which different things may be put. So there shouldn't (IMO) be an intrinsic security model within XML protocol, but there should be a means to include information about digital signatures, PKI features, PACs etc. > My guess is that the issue of digital signatures was probably thrashed > around a good bit offline somewhere, perhaps in the first f2f, at which I > wasn't present. I'm a latecomer to the WG, so I didn't want to burden the > main discussion stream if these issues have already been covered. > But, I did > want to get an answer to my questions. I know that the value of an XML > Protocol to TIBCO is going to be reduced substantially if digital > signatures > aren't addressed. Well, to my memory it wasn't :) The initial f2f was a bit hectic what with 45 people in the same room all making up requirements and shouting them at the chair. I agree that there is a requirement for ensuring that XML protocol envelopes can be mapped to protocols that have security features and I think I am on your side when I say that it would be a good thing to address the signing of XML Protocol envelopes. I'll put a proposal out to the list today. many thanks for your comment --oh -- ohurley at iona dot com +353 1 637 2639
Received on Wednesday, 6 December 2000 18:20:39 UTC