Basic B2B Profile Google Group

Small Updates

2006-04-11T15:03:31Z

Hello,
In order to make the profile easier to understand, in sections 4 and
5 it would be good to have incorrect and correct examples with the
incorrect and correct elements highlighted.
Is there going to be a new revision of the profile?
Thanks,
Brian

Re: Adding WS-SecureConversation to the Basic B2B Profile

2005-06-28T16:55:42Z

Barbara,

I didn't notice any follow-ups to this, so here goes. Yes, you can use
WS-Secure Conversation without WS-Trust.
See section 4 of the WS-SC spec.

As to the question of where (or whether) this fits into the uses of the
profile, basically it is to improve performance
of security operations by virtue of the use of symmetric keys.

Retransmission and MessageId/Timestamp

2005-06-27T20:58:22Z

Please see my blog entry on the matter regarding WS-Addressing LC90:

[link]

Cheers,

Christopher Ferris
STSM, Emerging e-business Industry Architecture
email: chris...@us.ibm.com
blog: [link]

Rimas Rekasius is out of the office.

2005-05-30T21:45:09Z

I will be out of the office starting 05/26/2005 and will not return until
06/02/2005.

I will respond to your message when I return.

Re: Strength of R5001 (Use of RSA1.5)

2005-05-30T21:05:48Z

Correct

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

Rimas
Rekasius/Chicago/

Re: Strength of R5001 (Use of RSA1.5)

2005-05-25T22:19:54Z

OK, so just to be painfully clear, the proposal is to change

R5001 When used for Key Transport, any xenc:EncryptionMethod/@Algorit hm
attribute in an ENCRYPTED_KEY MUST have a value of
"[link]".

R5001 When used for Key Transport, any xenc:EncryptionMethod/@Algorit hm

Re: Adding WS-SecureConversation to the Basic B2B Profile

2005-05-25T17:35:32Z

I agree that WS-SecureConversation should be part of the profile. Each
message would typically be signed / encrypted with the sending
endpoint's credential. A WS-SecureConversation endpoint caches the
credentials related to all of its partner endpoints and reuses those
for verification of incoming messages. Each message is verified with

Re: Adding WS-SecureConversation to the Basic B2B Profile

2005-05-16T13:52:05Z

Always questions :-) And this one is probably a naive one, but can you use
WS-SecureConversation without WS-Trust? The Abstract for the spec states
that WS-SecureConversation builds on WS-Security and WS-Trust. And it
looks to me like all of the techniques for establishing a Security Context

Re: Constraining the choice of BSP token profile

2005-05-15T23:44:33Z

Since the BSP has allowed conformance to the base, one can use any token
and still claim conformance, this will sure cause interoperability issues.
I believe is you constrain to the token profiles that the BSP profiles you
should be OK as they have looked at these for interop issues. So

Re: Strength of R5001 (Use of RSA1.5)

2005-05-13T17:01:09Z

Christopher Ferris
STSM, Emerging e-business Industry Architecture
email: chris...@us.ibm.com
blog: [link]
phone: +1 508 377 9295

Anthony Nadalin/Austin/IBM@IBMUS wrote on 05/13/2005 12:19:42 PM:

(OEAP or RSA1.5) no problem
to "SHOULD" and [link].

Re: Strength of R5001 (Use of RSA1.5)

2005-05-13T16:19:42Z

There are 2 allowed values, if each site chooses the same algorithm (OEAP
or RSA1.5) no problem (only way to do this today is out of band), so this
should be softened to "SHOULD" and [link]
should be made the default value

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

Adding WS-SecureConversation to the Basic B2B Profile

2005-05-13T13:02:09Z

I think that it makes piratical sense to add WS-SecureConversation to the
Basic B2B Profile. as without it, you really can't have secure, reliable
messaging. Besides helping to tremendously increase the performance of
secure Web services, WS-SC also gives you context based (i.e. instance)

Strength of R5001 (Use of RSA1.5)

2005-05-12T20:25:11Z

The current version of the Basic B2B Profile has the following
requirement in it constraining the choice of encryption algorithm:
R5001 When used for Key Transport, any xenc:EncryptionMethod/@Algorit hm
attribute in an ENCRYPTED_KEY MUST have a value of
"[link]".
Question: should this be softened to a SHOULD, or is MUST the right

Constraining the choice of BSP token profile

2005-05-12T18:41:44Z

In the early days of developing the Basic B2B Profile, we considered
whether or not to constrain the choice of BSP token profiles which can
be used while conforming to the Basic B2B Profile. If I recall
correctly, I think the thought was that since not all platforms will
support all the same token profiles, it might help interoperability if

Re: Question on R0005 - cardinality of wsa:To header

2005-05-12T15:25:29Z

Christopher Ferris
STSM, Emerging e-business Industry Architecture
email: chris...@us.ibm.com
blog: [link]
phone: +1 508 377 9295

Doug Davis/Raleigh/IBM@IBMUS wrote on 04/30/2005 07:11:10 PM:

simply "mandatory". Its
that it doesn't say that