- From: Mishra, Prateek <pmishra@netegrity.com>
- Date: Wed, 5 Jul 2000 14:25:24 -0400
- To: "'Krishna Sankar'" <ksankar@cisco.com>, "'xml-dist-app@w3.org'" <xml-dist-app@w3.org>
- Cc: "Chippada, Radhika" <rchippada@netegrity.com>
Hi Krishna, You mentioned RosettaNet which is a good example of an existing B2B framework. It might be useful to analyze the existing security framework in RosettaNet in regards to security (Authentication, Authorization). My understanding is that RosettaNet primarily uses transport-level security secured by HTTPS + Client certificates for Authentication. The subject common name is used to figure out the identity of the individual or service pushing the document (transport identity). Authorization is derived from transport identity and Activity Name. Roughly speaking, this translates to: Is this identity authorized to carry out this activity? PIPs also specify Non-repudiation of receipt and Origin and Content. In RosettaNet, this simply means that the sender or receiver agree to store the receipt or original document for an agreed upon period of time in its original form. Additional security is available thru Business Data Entity Security. This basically means that individual data items can be encrypted, included in a message digest and digitally signed. Is that a complete list of security features within RosettaNet? How far do we need to go beyond this list in XML Message Exchange frameworks? - prateek mishra Netegrity, Inc. Waltham, MA > -----Original Message----- > From: Krishna Sankar [mailto:ksankar@cisco.com] > Sent: Tuesday, July 04, 2000 2:27 PM > To: xml-dist-app@w3.org > Subject: Re: SOAP header for authentication etc > > > Hi, > > Saw your posting. Yes, we need support for security. > Building in security > related stuff in the SOAP specification will add > interoperability. This is > more important now, because BizTalk is based on SOAP. > > As you know BizTalk is agnostic to Temporal and spatial > requirements plus > it is distributed across organizations. So we need security > mechanisms as we > do not know where the documents will travel thru and reside, > ques, mail > slots, ftp sites et al. I really wouldn't trust an open PO > thru the BizTalk > framework as it stand now (agreed it is only a draft) > > I would like to see the following security related > features(and an ready to > offer help. We should be able to sit together and figure out common > requirements) > > 1. Authentication (not only between servers and > clients but between > applications) > 2. I am also a fan of Role Based Authorizations > and would like to see if we > can extend that concept. > 3. Support for confidentiality, Integrity and > repudiation - Signatures, > certificates, time services et al > > > FYI, I come from the B2B world (RosettaNet et al) and > so wouldn't mind > seeing these at BizTalk level. What do you think ? What we do > not want is > two signatures and two encryptions - one at BizTalk level and > another at > SOAP level. > > cheers >
Received on Wednesday, 5 July 2000 14:09:14 UTC