RE: SOAP header for authentication etc from Mishra, Prateek on 2000-07-05 (xml-dist-app@w3.org from July 2000)

From: Mishra, Prateek <pmishra@netegrity.com>
Date: Wed, 5 Jul 2000 14:25:24 -0400
To: "'Krishna Sankar'" <ksankar@cisco.com>, "'xml-dist-app@w3.org'" <xml-dist-app@w3.org>
Cc: "Chippada, Radhika" <rchippada@netegrity.com>
Message-ID: <F51E77692CD3D31190F300508B8BFA5E1564EE@maex02.netegrity.com>

Hi Krishna,

You mentioned RosettaNet which is a good example
of an existing B2B framework. It might be useful
to analyze the existing security framework in RosettaNet
in regards to security (Authentication, Authorization).

My understanding is that RosettaNet primarily uses 
transport-level security secured by HTTPS + Client certificates
for Authentication. The subject common name is used 
to figure out the identity of the individual or service
pushing the document (transport identity).

Authorization is derived from transport
identity and Activity Name. Roughly speaking, this translates
to: Is this identity authorized to carry out this activity?

PIPs also specify Non-repudiation of receipt and Origin
and Content. In RosettaNet, this simply means that the 
sender or receiver agree to store the receipt or original 
document for an agreed upon period of time in its original form. 

Additional security is available thru Business Data Entity
Security. This basically means that individual data items can
be encrypted, included in a message digest and digitally signed. 

Is that a complete list of security features within RosettaNet?
How far do we need to go beyond this list in XML Message Exchange
frameworks?

- prateek mishra

Netegrity, Inc.
Waltham, MA


> -----Original Message-----
> From: Krishna Sankar [mailto:ksankar@cisco.com]
> Sent: Tuesday, July 04, 2000 2:27 PM
> To: xml-dist-app@w3.org
> Subject: Re: SOAP header for authentication etc
> 
> 
> Hi,
> 
> 	Saw your posting. Yes, we need support for security. 
> Building in security
> related stuff in the SOAP specification will add 
> interoperability. This is
> more important now, because BizTalk is based on SOAP.
> 
> 	As you know BizTalk is agnostic to Temporal and spatial 
> requirements plus
> it is distributed across organizations. So we need security 
> mechanisms as we
> do not know where the documents will travel thru and reside, 
> ques, mail
> slots, ftp sites et al. I really wouldn't trust an open PO 
> thru the BizTalk
> framework as it stand now (agreed it is only a draft)
> 
> 	I would like to see the following security related 
> features(and an ready to
> offer help. We should be able to sit together and figure out common
> requirements)
> 
> 	1.	Authentication (not only between servers and 
> clients but between
> applications)
> 	2.	I am also a fan of Role Based Authorizations 
> and would like to see if we
> can extend that concept.
> 	3.	Support for confidentiality, Integrity and 
> repudiation - Signatures,
> certificates, time services et al
> 
> 
> 	FYI, I come from the B2B world (RosettaNet et al) and 
> so wouldn't mind
> seeing these at BizTalk level. What do you think ? What we do 
> not want is
> two signatures and two encryptions - one at BizTalk level and 
> another at
> SOAP level.
> 
> 	cheers
>

Received on Wednesday, 5 July 2000 14:09:14 UTC