|Monica J. Martin||Oct 4, 2004 6:45 am|
|Anders Rundgren||Oct 4, 2004 11:22 am|
|Monica J. Martin||Oct 4, 2004 1:22 pm|
|Anders Rundgren||Oct 5, 2004 6:27 am|
|Chiusano Joseph||Oct 5, 2004 6:37 am|
|Chiusano Joseph||Oct 5, 2004 6:45 am|
|Anders Rundgren||Oct 5, 2004 7:16 am|
|Monica J. Martin||Oct 5, 2004 7:21 am|
|Anders Rundgren||Oct 5, 2004 7:54 am|
|Chiusano Joseph||Oct 5, 2004 8:04 am|
|Anders Rundgren||Oct 5, 2004 8:27 am|
|Monica J. Martin||Oct 5, 2004 8:36 am|
|Chiusano Joseph||Oct 5, 2004 8:37 am|
|David RR Webber||Oct 5, 2004 9:56 am|
|Anders Rundgren||Oct 5, 2004 10:19 am|
|David RR Webber||Oct 5, 2004 11:03 am|
|Anders Rundgren||Oct 5, 2004 1:51 pm|
|David RR Webber||Oct 5, 2004 2:28 pm|
|Subject:||Re: [egov] Missing Securty: Update Working Draft for Workflow Standards|
|From:||Anders Rundgren (ande...@telia.com)|
|Date:||Oct 5, 2004 6:27:42 am|
Thanx Monica, Although things like WS-Security exists, it only represents a "format". When you put it in a real context I claim that we have reached an area which is almost unexplored even research-wise. In case of doubts, I urge you and other interested in secure WF applications to read the following short document:
That is, the e-gov working group also needs a security architecture arm in order to get anywhere. As you probably can imagine, this would be pioneering work and probably anything but easy. But that is the also the sad truth: Nothing screws up interoperability as incompatible security solutions as "flexibility" is the opposite to "security" as the latter _by_design_, is rigid.
best Anders Rundgren
----- Original Message ----- From: "Monica J. Martin" <Moni...@Sun.COM> To: "Anders Rundgren" <ande...@telia.com> Cc: "OASIS eGov list" <eg...@lists.oasis-open.org> Sent: Monday, October 04, 2004 22:22 Subject: Re: [egov] Missing Securty: Update Working Draft for Workflow Standards
Anders Rundgren wrote:
Monica & List. I have some input regarding security standards which seems to be lacking.
You could add WS-Security for example. However, it is also important to note that many pieces still are entirely absent and are not even known targets for standardization. The most obvious deficit is the lack of a method for a user to sign a document/transaction in a browser environment. The only thing I have heard of is XAML that MSFT is putting in Longhorn that unfortunately requires that we all convert to Longhorn. All e-govs are currently investing in proprietary signature solutions making inter-agency workflow a local matter and definitely not cross-border.
For those who are interested in security it may be interesting to know that the PKI pioneered by the US federal agencies is largely incompatible with any kind of workflow system server as a concept that is based on using encryption certificates of employees will disable any intermediary service like a purchasing system from reading outgoing messages. The governments in northern Europe have therefore defined an entirely different PKI architecture that is compatible with any kind of workflow process.
So maybe you should extend your paper with "missing standards" as well?
mm1: Anders, not all process specifications have implicit support. For example, ebXML BPSS specifies QoS attributes that provide business guidance that could/likely will impact the technical infrastructure - isTamperDetectable, isAuthenticated, and isConfidential. There are also persistent requirements inherent in the non-repudiation capabilities defined.  WS-BPEL recommends use of WS-Security (non-normative).  WS-Choreography may consider a QoS proposal before their current last call Dec 2004. WfMC, in earlier documents, specified use of OMG Security Services (CORBA legacy); however, the references I see are implementation based and in support of conformance requirements.
You have provided some valuable input. Are you suggesting that we cite impacts to adoption of particular process specifications such as (and the list could be quite large): transactions, security, messaging infrastructure, context, authentication, etc.? Should we cite these as constraints and important conditions to consider? Any thoughts from the eGov team would be greatly appreciated. Thank you.
 Implementation is not specified.  Appear to be impacted by your references above.