- From: Satish Thatte <satisht@microsoft.com>
- Date: Sat, 16 Sep 2000 17:18:09 -0700
- To: "'Krishna Sankar'" <ksankar@cisco.com>, "Mishra, Prateek" <pmishra@netegrity.com>, xml-dist-app@w3.org
- Cc: "Chippada, Radhika" <rchippada@netegrity.com>, "'Prasad Yendluri'" <pyendluri@vitria.com>, "'Vidya Narayanan (Extricity)'" <vidya@extricity.com>
Prateek and Krishna, This is belated but perhaps still relevant. Prasad and Vidya should be able to provide authoritative information about RNIF 2.0 security features. The final version of BizTalk Framework 2.0 (due out in about a month) will have message-level security features centered on S/MIME 3 (in common with RNIF 2.0 to the best of my knowledge). Satish -----Original Message----- From: Krishna Sankar [mailto:ksankar@cisco.com] Sent: Wednesday, July 05, 2000 7:57 PM To: Mishra, Prateek; xml-dist-app@w3.org Cc: Chippada, Radhika Subject: RE: SOAP header for authentication etc Hi, Thanks for the detailed message, of course, Netegrity is famous for your security implementations. As you have mentioned, it is useful to learn from and work with existing standards, especially in case of Rosettanet. IMHO, BizTalk has a lot of synergy with RosettaNet - more synergy than commonality, which is good. 1. As you had mentioned, certificates and SSL (client+server authentication) transport gives RosettaNet wire level security. 2. And we can use the identity from the certificate for authC and authZ. 3. I am not happy with the current repudiation method, as it is the responsibility of the sender/receiver to store the messages plus some non-repudiable timestamp - which requires some good time service.(The sender/receiver also need to store the CRLs). I would rather see this happening at the infrastructure/framework level like from a BizTalk implementation (plus some third party time servers providing the non-repudiable time service) 4. Rosettanet does have digital signature for integrity which we could model after for BizTalk. They use the detached signature approach. 5. Rosettanet does not have encryption which I think it plans to rectify in ver 2.0. 6. I do not know what other security aspects are forthcoming in the RosettaNet 2.0 version. cheers -----Original Message----- From: Mishra, Prateek [mailto:pmishra@netegrity.com] Sent: Wednesday, July 05, 2000 11:25 AM To: 'Krishna Sankar'; 'xml-dist-app@w3.org' Cc: Chippada, Radhika Subject: RE: SOAP header for authentication etc Hi Krishna, You mentioned RosettaNet which is a good example of an existing B2B framework. It might be useful to analyze the existing security framework in RosettaNet in regards to security (Authentication, Authorization). My understanding is that RosettaNet primarily uses transport-level security secured by HTTPS + Client certificates for Authentication. The subject common name is used to figure out the identity of the individual or service pushing the document (transport identity). Authorization is derived from transport identity and Activity Name. Roughly speaking, this translates to: Is this identity authorized to carry out this activity? PIPs also specify Non-repudiation of receipt and Origin and Content. In RosettaNet, this simply means that the sender or receiver agree to store the receipt or original document for an agreed upon period of time in its original form. Additional security is available thru Business Data Entity Security. This basically means that individual data items can be encrypted, included in a message digest and digitally signed. Is that a complete list of security features within RosettaNet? How far do we need to go beyond this list in XML Message Exchange frameworks? - prateek mishra Netegrity, Inc. Waltham, MA > -----Original Message----- > From: Krishna Sankar [mailto:ksankar@cisco.com] > Sent: Tuesday, July 04, 2000 2:27 PM > To: xml-dist-app@w3.org > Subject: Re: SOAP header for authentication etc > > > Hi, > > Saw your posting. Yes, we need support for security. > Building in security > related stuff in the SOAP specification will add > interoperability. This is > more important now, because BizTalk is based on SOAP. > > As you know BizTalk is agnostic to Temporal and spatial > requirements plus > it is distributed across organizations. So we need security > mechanisms as we > do not know where the documents will travel thru and reside, > ques, mail > slots, ftp sites et al. I really wouldn't trust an open PO > thru the BizTalk > framework as it stand now (agreed it is only a draft) > > I would like to see the following security related > features(and an ready to > offer help. We should be able to sit together and figure out common > requirements) > > 1. Authentication (not only between servers and > clients but between > applications) > 2. I am also a fan of Role Based Authorizations > and would like to see if we > can extend that concept. > 3. Support for confidentiality, Integrity and > repudiation - Signatures, > certificates, time services et al > > > FYI, I come from the B2B world (RosettaNet et al) and > so wouldn't mind > seeing these at BizTalk level. What do you think ? What we do > not want is > two signatures and two encryptions - one at BizTalk level and > another at > SOAP level. > > cheers >
Received on Saturday, 16 September 2000 20:18:40 UTC