UN/CEFACT TBG6-TBG1 Project
5 October 2006
Security for XML documents and Messages
1.
1.1
Objectives
Purpose
The purpose of this document is to apply recommendations regarding security issues for UN/CEFACT XML documents and messages. This involves how and when to use signatures in the XML documents and messages. The main purpose is to give a security blanket to XML documents and messages through proper standardization as these documents/messages are meant to be exchanged and used by various parties and systems and their authenticity and context are of invaluable importance.
1.2
Scope
The UN/CEFACT XML Documents/Messages are envisaged to be present in various facets across several areas of application. The idea of this exercise is the following: Give guidelines as to when a security issue affects the file and when it does not The issues of the five basic aspects of security • • • • • Availability Integrity Confidentiality Authentication Accountability
Assumptions and requirements of other security systems stated (infrastructure, OS etc) Support for standards for other security measures like DRS, backup system, archiving system Support for any standard XML parser, analyzer and framework support and hence a generic schema to make it usable for such cases Issues on serving to Web 2.0 / Ajax setups How to reference a signature that has been applied to a business document, including how to link back to the authorizer. Analyze different business uses of signatures and business cases for business documents. Give recommendations for handling issues regarding signatures when the business document changes format during the transaction.
2.
Deliverables
Business Requirements Specification (BRS) to describe business requirements and their associated security needs. A UN/CEFACT Recommendation Document listing best practices and guidelines.
The deliverables from this project will include:
Security for ebXML
Page 1
October 5th, 2006
�UN/CEFACT TBG6-TBG1 Project
5 October 2006
A FAQ Documentation which can be used as a reference document for all other action groups
The purpose of creating these documents is to provide the information and knowledge to the applicable working groups in CEFACT to enable them to handle security concerns and to incorporate the recommendations in their respective XML Schema specifically as well as in BRS.
3.
Functional Expertise of Membership
The project team is a group of experts with broad knowledge in Trade and AEC business management as well working knowledge of security issues in IT specifically in Electronic Data Exchange Scenario. The project team includes a cross section of representatives from industry, government, and E-Procurement software vendors. The project team also has ties with other industry associations to facilitate the content development and best practices documentation.
4.
Focus
The focus of this data exchange is world wide across a number of industries including government functional entities (such as defense, energy, transportation, and social services), aerospace and defense, engineering and construction, oil and gas, utility (such as energy, telecom, and municipal services), scientific research and development, and information technology and for any field which proposes to use UN/CEFACT standards to exchange XML based documents and messages.
5.
Initial Contributions
Initial Presentation done on Security at the New Delhi UN/CEFACT meet on the 4 th of October, 2006 in a joint session of TBG1 and TBG6 in the presence of the TBG Chair.
The contributions submitted with this proposal include:
6.
Statement of Resource Requirements
Required resources include project management/performance measurement subject matter experts as well as modeling expertise. Project Lead: Sandipan Chattopadhyay (IN) Editor: Peter L. Borresen (DK) Contributors: Bernard Longhi (F), Michel Entat (F), Kevin Smith (GB), Sujeet Bhatt (IN), Mark Leitch (GB) Auditors: TBG1 and TBG6
Security for ebXML
Page 2
October 5th, 2006
�