[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AS#2 Transport Protocol/Security

To: rsedc@xxxxxxx (David Chia), ietf-ediint@xxxxxxx
Subject: Re: AS#2 Transport Protocol/Security
From: "Y. John Jiang" <yjj@xxxxxxxxxxxxxx>
Date: Wed, 25 Sep 1996 14:04:11 -0400
In-reply-to: rsedc@urgento (David Chia) "Re: AS#2 Transport Protocol/Security" (Sep 21, 3:16pm)
References: <>
Sender: owner-ietf-ediint@xxxxxxx

On Sep 21,  3:16pm, David Chia wrote:
> Subject: Re: AS#2 Transport Protocol/Security

> > We don't have disagreement.  If the EDI message level provides
> > all the functionalities as desired, there is no need for the low
> > level secure channel.
>
> I disagree. The message signature verifies the owner of the EDI message.
> SSL authenticates the client/server. There is no certainty that
> the owner of the EDI message is the one operating the client or server.

> For example, in EDI-L it was revealled that many companies and some
> packages do not use sequence number. In such case a signed EDI PO
> can be captured and resent to the supplier many times from any
> hosts. Without low level secure channel the signed message can even
> be spoofed to be coming from the alledged host.

A low level authentication, such as SSL, should not and cannot be used
for a high level requirement such as varifying whether the content is
not a resent.  Even with SSL varifying the source of the content, how do
you prevent a resent?  High level requirements have to be addressed in
high levels.

Follow-Ups:
- Re: AS#2 Transport Protocol/Security
  - From: David Chia

References:
- Re: AS#2 Transport Protocol/Security
  - From: David Chia

Prev by Date: Re: AS#2 Transport Protocol/Security
Next by Date: Re: AS#2 Transport Protocol/Security
Previous by thread: Re: AS#2 Transport Protocol/Security
Next by thread: Re: AS#2 Transport Protocol/Security
Index(es):
- Date
- Thread