Your SlideShare is downloading. ×
0
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
XML And Web Services Security Standards
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

XML And Web Services Security Standards

3,761

Published on

Back in the early days of Web services, security was a big deal and even making sense of all the balls up in the air was complicated.

Back in the early days of Web services, security was a big deal and even making sense of all the balls up in the air was complicated.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,761
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
245
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. XML & Web Services Security Standards Simeon Simeonov Polaris Venture Partners November, 2002
  • 2. Things to Worry About <ul><li>Fast moving space </li></ul><ul><li>Evolving customer needs </li></ul><ul><ul><li>And uncertain timing… </li></ul></ul><ul><li>Competing standards </li></ul><ul><ul><li>Not all will survive; many will have to change </li></ul></ul><ul><li>Industry dynamics </li></ul><ul><ul><li>Some business model uncertainty </li></ul></ul><ul><ul><li>Not clear where “platforms” end </li></ul></ul>
  • 3. Security Requirements <ul><li>Authentication </li></ul><ul><li>Authorization </li></ul><ul><li>Integrity </li></ul><ul><li>Non-repudiation </li></ul><ul><li>Confidentiality </li></ul><ul><li>Privacy </li></ul><ul><li>Digital Rights Management </li></ul><ul><li>Federated, interoperable, implementation agnostic… </li></ul>
  • 4. General Areas of Standardization <ul><li>Core XML Security </li></ul><ul><li>Basic AAA </li></ul><ul><li>Web Services </li></ul><ul><li>Other </li></ul>
  • 5. Lots to Think About <ul><li>Core XML Security </li></ul><ul><ul><li>XML Signatures, XML Encryption </li></ul></ul><ul><li>Basic AAA </li></ul><ul><ul><li>XKMS, SAML, XACML </li></ul></ul><ul><li>Web Services </li></ul><ul><ul><li>WS-Security, WS-Trust, WS-Policy, WS-Trust, WS-Privacy, WS-Authorization, WS-Federation, WS-SecureConversation </li></ul></ul><ul><li>Other </li></ul><ul><ul><li>XrML, P3P, XNS, … </li></ul></ul>
  • 6. Core XML Security <ul><li>XML Signatures </li></ul><ul><ul><li>Dig sigs for integrity and non-repudiation </li></ul></ul><ul><ul><li>Any content (XML or not) </li></ul></ul><ul><ul><li>Applies to any portion(s) of XML documents </li></ul></ul><ul><li>XML Encryption </li></ul><ul><ul><li>Content-based encryption for confidentiality </li></ul></ul><ul><ul><li>Applies to any portion(s) of XML documents </li></ul></ul><ul><ul><li>Any algorithm </li></ul></ul><ul><ul><li>Symmetric or asymmetric keys </li></ul></ul>
  • 7. Basic AAA <ul><li>Key management </li></ul><ul><ul><li>Automating key management is key </li></ul></ul><ul><ul><li>XKMS specifies a key management protocol </li></ul></ul><ul><li>Authentication/Authorization </li></ul><ul><ul><li>Many different AA mechanisms </li></ul></ul><ul><ul><li>SAML allows AA assertions to be made </li></ul></ul><ul><li>Policy definition </li></ul><ul><ul><li>Federating policies is very difficult </li></ul></ul><ul><ul><li>XACML provides a common rules language </li></ul></ul>
  • 8. XKMS <ul><li>XML Key Management Service </li></ul><ul><ul><li>Standards-based key management protocol </li></ul></ul><ul><ul><li>Secure Web services binding </li></ul></ul><ul><ul><li>XKRSS: registration service specification </li></ul></ul><ul><ul><ul><li>Bind information to a public key pair </li></ul></ul></ul><ul><ul><li>XKISS: information service specification </li></ul></ul><ul><ul><ul><li>Locate keys in a registry </li></ul></ul></ul><ul><ul><ul><li>Validate binding of keys </li></ul></ul></ul>
  • 9. SAML <ul><li>Security Assertion Markup Language </li></ul><ul><ul><li>Common mechanism for expressing assertions </li></ul></ul><ul><ul><li>Authentication: who, when, how </li></ul></ul><ul><ul><li>Authorization: who, what, when, how </li></ul></ul><ul><ul><li>Enables </li></ul></ul><ul><ul><ul><li>SSO </li></ul></ul></ul><ul><ul><ul><li>Separates AA from management and policy enforcement </li></ul></ul></ul><ul><ul><li>Request-response protocol </li></ul></ul><ul><ul><ul><li>With SOAP binding </li></ul></ul></ul>
  • 10. XACML <ul><li>XML Access Control Markup Language </li></ul><ul><ul><li>Vocabulary for expressing authorization rules </li></ul></ul><ul><ul><li>Rules: target(s), effect, condition(s) </li></ul></ul><ul><ul><ul><li>Target: resources, subjects, actions </li></ul></ul></ul><ul><ul><ul><li>Effect: allow or deny </li></ul></ul></ul><ul><ul><ul><li>Condition: fairly flexible, dynamically evaluated </li></ul></ul></ul><ul><ul><li>Allows rule aggregation + evaluation sequencing </li></ul></ul><ul><ul><li>Supports policies </li></ul></ul><ul><ul><ul><li>Collections of rules applying to a subject </li></ul></ul></ul>
  • 11. Web Services Security <ul><li>WS-Security </li></ul><ul><ul><li>XML Signature and XML Encryption for SOAP </li></ul></ul><ul><li>WS-Policy </li></ul><ul><ul><li>Define security capabilities for Web services endpoints and intermediaries </li></ul></ul><ul><li>WS-Privacy </li></ul><ul><ul><li>Privacy preference specification for Web services </li></ul></ul><ul><li>WS-Trust </li></ul><ul><ul><li>Enable trust domain crossing </li></ul></ul>
  • 12. Web Services Security: More <ul><li>WS-Authorization </li></ul><ul><ul><li>Managing policies about Web services </li></ul></ul><ul><li>WS-Federation </li></ul><ul><ul><li>Federated identity and attribute management </li></ul></ul><ul><li>WS-SecureConversation </li></ul><ul><ul><li>Dynamically establish trust across domains </li></ul></ul>
  • 13. Other <ul><li>P3P </li></ul><ul><ul><li>Privacy preferences and policy specification </li></ul></ul><ul><ul><li>Mechanism for using policies + preferences </li></ul></ul><ul><li>XrML </li></ul><ul><ul><li>A language and mechanism for expressing rights, terms of use and processing rules </li></ul></ul><ul><ul><li>Some overlap with XACML, unfortunately </li></ul></ul><ul><li>XNS </li></ul><ul><ul><li>Federated identity and trust brokering services </li></ul></ul><ul><ul><li>Secure exchange of identity attributes according to privacy policies and preferences </li></ul></ul>
  • 14. Timing <ul><li>Complete </li></ul><ul><ul><li>XML Signature, XML Encryption, SAML, XrML, P3P </li></ul></ul><ul><li>In process w/ some implementations </li></ul><ul><ul><li>XKMS, XACML, WS-Security </li></ul></ul><ul><li>Way off </li></ul><ul><ul><li>Everything else </li></ul></ul><ul><li>Furthermore, there are some standards conflicts </li></ul>
  • 15. Industry Dynamics <ul><li>Industry leaders </li></ul><ul><ul><li>IBM + MS lead the WS-* roadmap </li></ul></ul><ul><li>Standards bodies </li></ul><ul><ul><li>W3C: core XML security standards, XKMS, P3P </li></ul></ul><ul><ul><li>OASIS: SAML, XACML, more… </li></ul></ul><ul><ul><li>WS-I: watch its ability to define interop profiles </li></ul></ul><ul><li>Other players </li></ul><ul><ul><li>Liberty Alliance (?), OneName (XNS), XrML, … </li></ul></ul><ul><ul><li>Will have to work with IBM + MS + W3C/OASIS </li></ul></ul>
  • 16. Leveraging Standards <ul><li>Determine key customer use cases </li></ul><ul><li>Define own responsibilities </li></ul><ul><ul><li>What standards do they map to? </li></ul></ul><ul><ul><li>Can some capabilities, e.g., document signing or SSO, be exposed as value-add Web services? </li></ul></ul><ul><li>Define interoperability requirements </li></ul><ul><ul><li>What standards govern these? </li></ul></ul><ul><ul><li>Who are the champions to partner with? </li></ul></ul><ul><li>Beware of standards flux </li></ul>

×