[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AS#2 Transport Protocol/Security
On Sep 21, 3:16pm, David Chia wrote:
> Subject: Re: AS#2 Transport Protocol/Security
> > We don't have disagreement. If the EDI message level provides
> > all the functionalities as desired, there is no need for the low
> > level secure channel.
> I disagree. The message signature verifies the owner of the EDI message.
> SSL authenticates the client/server. There is no certainty that
> the owner of the EDI message is the one operating the client or server.
> For example, in EDI-L it was revealled that many companies and some
> packages do not use sequence number. In such case a signed EDI PO
> can be captured and resent to the supplier many times from any
> hosts. Without low level secure channel the signed message can even
> be spoofed to be coming from the alledged host.
A low level authentication, such as SSL, should not and cannot be used
for a high level requirement such as varifying whether the content is
not a resent. Even with SSL varifying the source of the content, how do
you prevent a resent? High level requirements have to be addressed in