Basic B2B Profile Google Group

Small Updates

b...@dcx.com — Tue, 11 Apr 2006 15:03:31 UT

Hello,
In order to make the profile easier to understand, in sections 4 and
5 it would be good to have incorrect and correct examples with the
incorrect and correct elements highlighted.
Is there going to be a new revision of the profile?
Thanks,
Brian

Re: Adding WS-SecureConversation to the Basic B2B Profile

chris...@us.ibm.com (Christopher B Ferris) — Tue, 28 Jun 2005 16:55:42 UT

Barbara,

I didn't notice any follow-ups to this, so here goes. Yes, you can use
WS-Secure Conversation without WS-Trust.
See section 4 of the WS-SC spec.

As to the question of where (or whether) this fits into the uses of the
profile, basically it is to improve performance
of security operations by virtue of the use of symmetric keys.

Retransmission and MessageId/Timestamp

chris...@us.ibm.com (Christopher B Ferris) — Mon, 27 Jun 2005 20:58:22 UT

Please see my blog entry on the matter regarding WS-Addressing LC90:

[link]

Cheers,

Christopher Ferris
STSM, Emerging e-business Industry Architecture
email: chris...@us.ibm.com
blog: [link]

Rimas Rekasius is out of the office.

ri...@us.ibm.com (Rimas Rekasius) — Mon, 30 May 2005 21:45:09 UT

I will be out of the office starting 05/26/2005 and will not return until
06/02/2005.

I will respond to your message when I return.

Re: Strength of R5001 (Use of RSA1.5)

drsec...@us.ibm.com (Anthony Nadalin) — Mon, 30 May 2005 21:05:48 UT

Correct

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

Rimas
Rekasius/Chicago/

Re: Strength of R5001 (Use of RSA1.5)

ri...@us.ibm.com (Rimas Rekasius) — Wed, 25 May 2005 22:19:54 UT

OK, so just to be painfully clear, the proposal is to change

R5001 When used for Key Transport, any xenc:EncryptionMethod/@Algorit hm
attribute in an ENCRYPTED_KEY MUST have a value of
"[link]".

R5001 When used for Key Transport, any xenc:EncryptionMethod/@Algorit hm

Re: Adding WS-SecureConversation to the Basic B2B Profile

tfow...@ford.com — Wed, 25 May 2005 17:35:32 UT

I agree that WS-SecureConversation should be part of the profile. Each
message would typically be signed / encrypted with the sending
endpoint's credential. A WS-SecureConversation endpoint caches the
credentials related to all of its partner endpoints and reuses those
for verification of incoming messages. Each message is verified with

Re: Adding WS-SecureConversation to the Basic B2B Profile

bmc...@us.ibm.com (Barbara McKee) — Mon, 16 May 2005 13:52:05 UT

Always questions :-) And this one is probably a naive one, but can you use
WS-SecureConversation without WS-Trust? The Abstract for the spec states
that WS-SecureConversation builds on WS-Security and WS-Trust. And it
looks to me like all of the techniques for establishing a Security Context

Re: Constraining the choice of BSP token profile

drsec...@us.ibm.com (Anthony Nadalin) — Sun, 15 May 2005 23:44:33 UT

Since the BSP has allowed conformance to the base, one can use any token
and still claim conformance, this will sure cause interoperability issues.
I believe is you constrain to the token profiles that the BSP profiles you
should be OK as they have looked at these for interop issues. So

Re: Strength of R5001 (Use of RSA1.5)

chris...@us.ibm.com (Christopher B Ferris) — Fri, 13 May 2005 17:01:09 UT

Christopher Ferris
STSM, Emerging e-business Industry Architecture
email: chris...@us.ibm.com
blog: [link]
phone: +1 508 377 9295

Anthony Nadalin/Austin/IBM@IBMUS wrote on 05/13/2005 12:19:42 PM:

(OEAP or RSA1.5) no problem
to "SHOULD" and [link].

Re: Strength of R5001 (Use of RSA1.5)

drsec...@us.ibm.com (Anthony Nadalin) — Fri, 13 May 2005 16:19:42 UT

There are 2 allowed values, if each site chooses the same algorithm (OEAP
or RSA1.5) no problem (only way to do this today is out of band), so this
should be softened to "SHOULD" and [link]
should be made the default value

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

Adding WS-SecureConversation to the Basic B2B Profile

drsec...@us.ibm.com (Anthony Nadalin) — Fri, 13 May 2005 13:02:09 UT

I think that it makes piratical sense to add WS-SecureConversation to the
Basic B2B Profile. as without it, you really can't have secure, reliable
messaging. Besides helping to tremendously increase the performance of
secure Web services, WS-SC also gives you context based (i.e. instance)

Strength of R5001 (Use of RSA1.5)

ri...@us.ibm.com (Rimas Rekasius) — Thu, 12 May 2005 20:25:11 UT

The current version of the Basic B2B Profile has the following
requirement in it constraining the choice of encryption algorithm:
R5001 When used for Key Transport, any xenc:EncryptionMethod/@Algorit hm
attribute in an ENCRYPTED_KEY MUST have a value of
"[link]".
Question: should this be softened to a SHOULD, or is MUST the right

Constraining the choice of BSP token profile

ri...@us.ibm.com — Thu, 12 May 2005 18:41:44 UT

In the early days of developing the Basic B2B Profile, we considered
whether or not to constrain the choice of BSP token profiles which can
be used while conforming to the Basic B2B Profile. If I recall
correctly, I think the thought was that since not all platforms will
support all the same token profiles, it might help interoperability if

Re: Question on R0005 - cardinality of wsa:To header

chris...@us.ibm.com (Christopher B Ferris) — Thu, 12 May 2005 15:25:29 UT

Christopher Ferris
STSM, Emerging e-business Industry Architecture
email: chris...@us.ibm.com
blog: [link]
phone: +1 508 377 9295

Doug Davis/Raleigh/IBM@IBMUS wrote on 04/30/2005 07:11:10 PM:

simply "mandatory". Its
that it doesn't say that