18 messages in org.oasis-open.lists.egovRe: [egov] Missing Securty: Update Wo...| From | Sent On | Attachments |
|---|---|---|
| Monica J. Martin | Oct 4, 2004 6:45 am |  .pdf |
| Anders Rundgren | Oct 4, 2004 11:22 am | |
| Monica J. Martin | Oct 4, 2004 1:22 pm | |
| Anders Rundgren | Oct 5, 2004 6:27 am | |
| Chiusano Joseph | Oct 5, 2004 6:37 am | |
| Chiusano Joseph | Oct 5, 2004 6:45 am | |
| Anders Rundgren | Oct 5, 2004 7:16 am | |
| Monica J. Martin | Oct 5, 2004 7:21 am | |
| Anders Rundgren | Oct 5, 2004 7:54 am | |
| Chiusano Joseph | Oct 5, 2004 8:04 am | |
| Anders Rundgren | Oct 5, 2004 8:27 am | |
| Monica J. Martin | Oct 5, 2004 8:36 am | |
| Chiusano Joseph | Oct 5, 2004 8:37 am | |
| David RR Webber | Oct 5, 2004 9:56 am | |
| Anders Rundgren | Oct 5, 2004 10:19 am | |
| David RR Webber | Oct 5, 2004 11:03 am | |
| Anders Rundgren | Oct 5, 2004 1:51 pm | |
| David RR Webber | Oct 5, 2004 2:28 pm |
| Subject: | Re: [egov] Missing Securty: Update Working Draft for Workflow Standards | |
|---|---|---|
| From: | Monica J. Martin (Moni...@Sun.COM) | |
| Date: | Oct 5, 2004 8:36:23 am | |
| List: | org.oasis-open.lists.egov | |
Chiusano Joseph wrote:
Anders,
Thanks for the additional information. I'm looking at p.2 of your document now, and I believe that this can/should be handled through some type of contract between the two organizations, with a certain level of mutual trust specified. I see this as more of an operational issue. Please let me know if there are more specifics either within our outside your document that may factor in, that I have not taken into account.
mm1: The process descriptions are an expression of the agreements between parties. Those constraints, over time, may be expressed with automated contractual tooling and capabilities. Therefore, I see no conflict: 1) Agreement conditions will / may exist. The process description and underlying infrastructure are responsible to meet those requirements.
Rundgren: The key-word is "end-2-end security". This is the foundation of the Federal PKI. It among many things means that the sender encrypts a message for the _ultimate_ recepient.
mm1: Anders, I don't see the conflict as that places conditions on the environment, messaging, and the use of the process description. The specifics around how the process is implemented, as Joe indicates, is an operational issue. That could be the constraint that the process description (computable) is used in a process engine housed on a single server meeting the security constraints/conditions. Given the requirements, the process description may surface the QoS properties. How tightly coupled the infrastructure and messaging are bound to the process description and execution, is an agreement decision, don't you think? Thank you.