XML & Web Services Security Standards Simeon Simeonov Polaris Venture Partners November, 2002

Things to Worry About Fast moving space Evolving customer needs And uncertain timing… Competing standards Not all will survive; many will have to change Industry dynamics Some business model uncertainty Not clear where “platforms” end

Fast moving space

Evolving customer needs

And uncertain timing…

Competing standards

Not all will survive; many will have to change

Industry dynamics

Some business model uncertainty

Not clear where “platforms” end

Security Requirements Authentication Authorization Integrity Non-repudiation Confidentiality Privacy Digital Rights Management Federated, interoperable, implementation agnostic…

Authentication

Authorization

Integrity

Non-repudiation

Confidentiality

Privacy

Digital Rights Management

Federated, interoperable, implementation agnostic…

General Areas of Standardization Core XML Security Basic AAA Web Services Other

Core XML Security

Basic AAA

Web Services

Other

Lots to Think About Core XML Security XML Signatures, XML Encryption Basic AAA XKMS, SAML, XACML Web Services WS-Security, WS-Trust, WS-Policy, WS-Trust, WS-Privacy, WS-Authorization, WS-Federation, WS-SecureConversation Other XrML, P3P, XNS, …

Core XML Security

XML Signatures, XML Encryption

Basic AAA

XKMS, SAML, XACML

Web Services

WS-Security, WS-Trust, WS-Policy, WS-Trust, WS-Privacy, WS-Authorization, WS-Federation, WS-SecureConversation

Other

XrML, P3P, XNS, …

Core XML Security XML Signatures Dig sigs for integrity and non-repudiation Any content (XML or not) Applies to any portion(s) of XML documents XML Encryption Content-based encryption for confidentiality Applies to any portion(s) of XML documents Any algorithm Symmetric or asymmetric keys

XML Signatures

Dig sigs for integrity and non-repudiation

Any content (XML or not)

Applies to any portion(s) of XML documents

XML Encryption

Content-based encryption for confidentiality

Applies to any portion(s) of XML documents

Any algorithm

Symmetric or asymmetric keys

Basic AAA Key management Automating key management is key XKMS specifies a key management protocol Authentication/Authorization Many different AA mechanisms SAML allows AA assertions to be made Policy definition Federating policies is very difficult XACML provides a common rules language

Key management

Automating key management is key

XKMS specifies a key management protocol

Authentication/Authorization

Many different AA mechanisms

SAML allows AA assertions to be made

Policy definition

Federating policies is very difficult

XACML provides a common rules language

XKMS XML Key Management Service Standards-based key management protocol Secure Web services binding XKRSS: registration service specification Bind information to a public key pair XKISS: information service specification Locate keys in a registry Validate binding of keys

XML Key Management Service

Standards-based key management protocol

Secure Web services binding

XKRSS: registration service specification

Bind information to a public key pair

XKISS: information service specification

Locate keys in a registry

Validate binding of keys

SAML Security Assertion Markup Language Common mechanism for expressing assertions Authentication: who, when, how Authorization: who, what, when, how Enables SSO Separates AA from management and policy enforcement Request-response protocol With SOAP binding

Security Assertion Markup Language

Common mechanism for expressing assertions

Authentication: who, when, how

Authorization: who, what, when, how

Enables

SSO

Separates AA from management and policy enforcement

Request-response protocol

With SOAP binding

XACML XML Access Control Markup Language Vocabulary for expressing authorization rules Rules: target(s), effect, condition(s) Target: resources, subjects, actions Effect: allow or deny Condition: fairly flexible, dynamically evaluated Allows rule aggregation + evaluation sequencing Supports policies Collections of rules applying to a subject

XML Access Control Markup Language

Vocabulary for expressing authorization rules

Rules: target(s), effect, condition(s)

Target: resources, subjects, actions

Effect: allow or deny

Condition: fairly flexible, dynamically evaluated

Allows rule aggregation + evaluation sequencing

Supports policies

Collections of rules applying to a subject

Web Services Security WS-Security XML Signature and XML Encryption for SOAP WS-Policy Define security capabilities for Web services endpoints and intermediaries WS-Privacy Privacy preference specification for Web services WS-Trust Enable trust domain crossing

WS-Security

XML Signature and XML Encryption for SOAP

WS-Policy

Define security capabilities for Web services endpoints and intermediaries

WS-Privacy

Privacy preference specification for Web services

WS-Trust

Enable trust domain crossing

Web Services Security: More WS-Authorization Managing policies about Web services WS-Federation Federated identity and attribute management WS-SecureConversation Dynamically establish trust across domains

WS-Authorization

Managing policies about Web services

WS-Federation

Federated identity and attribute management

WS-SecureConversation

Dynamically establish trust across domains

Other P3P Privacy preferences and policy specification Mechanism for using policies + preferences XrML A language and mechanism for expressing rights, terms of use and processing rules Some overlap with XACML, unfortunately XNS Federated identity and trust brokering services Secure exchange of identity attributes according to privacy policies and preferences

P3P

Privacy preferences and policy specification

Mechanism for using policies + preferences

XrML

A language and mechanism for expressing rights, terms of use and processing rules

Some overlap with XACML, unfortunately

XNS

Federated identity and trust brokering services

Secure exchange of identity attributes according to privacy policies and preferences

Timing Complete XML Signature, XML Encryption, SAML, XrML, P3P In process w/ some implementations XKMS, XACML, WS-Security Way off Everything else Furthermore, there are some standards conflicts

Complete

XML Signature, XML Encryption, SAML, XrML, P3P

In process w/ some implementations

XKMS, XACML, WS-Security

Way off

Everything else

Furthermore, there are some standards conflicts

Industry Dynamics Industry leaders IBM + MS lead the WS-* roadmap Standards bodies W3C: core XML security standards, XKMS, P3P OASIS: SAML, XACML, more… WS-I: watch its ability to define interop profiles Other players Liberty Alliance (?), OneName (XNS), XrML, … Will have to work with IBM + MS + W3C/OASIS

Industry leaders

IBM + MS lead the WS-* roadmap

Standards bodies

W3C: core XML security standards, XKMS, P3P

OASIS: SAML, XACML, more…

WS-I: watch its ability to define interop profiles

Other players

Liberty Alliance (?), OneName (XNS), XrML, …

Will have to work with IBM + MS + W3C/OASIS

Leveraging Standards Determine key customer use cases Define own responsibilities What standards do they map to? Can some capabilities, e.g., document signing or SSO, be exposed as value-add Web services? Define interoperability requirements What standards govern these? Who are the champions to partner with? Beware of standards flux

Determine key customer use cases

Define own responsibilities

What standards do they map to?

Can some capabilities, e.g., document signing or SSO, be exposed as value-add Web services?

Define interoperability requirements

What standards govern these?

Who are the champions to partner with?

Beware of standards flux