XML And Web Services Security Standards

4,403 views

Published on

Back in the early days of Web services, security was a big deal and even making sense of all the balls up in the air was complicated.

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,403
On SlideShare
0
From Embeds
0
Number of Embeds
29
Actions
Shares
0
Downloads
268
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

XML And Web Services Security Standards

  1. 1. XML & Web Services Security Standards Simeon Simeonov Polaris Venture Partners November, 2002
  2. 2. Things to Worry About <ul><li>Fast moving space </li></ul><ul><li>Evolving customer needs </li></ul><ul><ul><li>And uncertain timing… </li></ul></ul><ul><li>Competing standards </li></ul><ul><ul><li>Not all will survive; many will have to change </li></ul></ul><ul><li>Industry dynamics </li></ul><ul><ul><li>Some business model uncertainty </li></ul></ul><ul><ul><li>Not clear where “platforms” end </li></ul></ul>
  3. 3. Security Requirements <ul><li>Authentication </li></ul><ul><li>Authorization </li></ul><ul><li>Integrity </li></ul><ul><li>Non-repudiation </li></ul><ul><li>Confidentiality </li></ul><ul><li>Privacy </li></ul><ul><li>Digital Rights Management </li></ul><ul><li>Federated, interoperable, implementation agnostic… </li></ul>
  4. 4. General Areas of Standardization <ul><li>Core XML Security </li></ul><ul><li>Basic AAA </li></ul><ul><li>Web Services </li></ul><ul><li>Other </li></ul>
  5. 5. Lots to Think About <ul><li>Core XML Security </li></ul><ul><ul><li>XML Signatures, XML Encryption </li></ul></ul><ul><li>Basic AAA </li></ul><ul><ul><li>XKMS, SAML, XACML </li></ul></ul><ul><li>Web Services </li></ul><ul><ul><li>WS-Security, WS-Trust, WS-Policy, WS-Trust, WS-Privacy, WS-Authorization, WS-Federation, WS-SecureConversation </li></ul></ul><ul><li>Other </li></ul><ul><ul><li>XrML, P3P, XNS, … </li></ul></ul>
  6. 6. Core XML Security <ul><li>XML Signatures </li></ul><ul><ul><li>Dig sigs for integrity and non-repudiation </li></ul></ul><ul><ul><li>Any content (XML or not) </li></ul></ul><ul><ul><li>Applies to any portion(s) of XML documents </li></ul></ul><ul><li>XML Encryption </li></ul><ul><ul><li>Content-based encryption for confidentiality </li></ul></ul><ul><ul><li>Applies to any portion(s) of XML documents </li></ul></ul><ul><ul><li>Any algorithm </li></ul></ul><ul><ul><li>Symmetric or asymmetric keys </li></ul></ul>
  7. 7. Basic AAA <ul><li>Key management </li></ul><ul><ul><li>Automating key management is key </li></ul></ul><ul><ul><li>XKMS specifies a key management protocol </li></ul></ul><ul><li>Authentication/Authorization </li></ul><ul><ul><li>Many different AA mechanisms </li></ul></ul><ul><ul><li>SAML allows AA assertions to be made </li></ul></ul><ul><li>Policy definition </li></ul><ul><ul><li>Federating policies is very difficult </li></ul></ul><ul><ul><li>XACML provides a common rules language </li></ul></ul>
  8. 8. XKMS <ul><li>XML Key Management Service </li></ul><ul><ul><li>Standards-based key management protocol </li></ul></ul><ul><ul><li>Secure Web services binding </li></ul></ul><ul><ul><li>XKRSS: registration service specification </li></ul></ul><ul><ul><ul><li>Bind information to a public key pair </li></ul></ul></ul><ul><ul><li>XKISS: information service specification </li></ul></ul><ul><ul><ul><li>Locate keys in a registry </li></ul></ul></ul><ul><ul><ul><li>Validate binding of keys </li></ul></ul></ul>
  9. 9. SAML <ul><li>Security Assertion Markup Language </li></ul><ul><ul><li>Common mechanism for expressing assertions </li></ul></ul><ul><ul><li>Authentication: who, when, how </li></ul></ul><ul><ul><li>Authorization: who, what, when, how </li></ul></ul><ul><ul><li>Enables </li></ul></ul><ul><ul><ul><li>SSO </li></ul></ul></ul><ul><ul><ul><li>Separates AA from management and policy enforcement </li></ul></ul></ul><ul><ul><li>Request-response protocol </li></ul></ul><ul><ul><ul><li>With SOAP binding </li></ul></ul></ul>
  10. 10. XACML <ul><li>XML Access Control Markup Language </li></ul><ul><ul><li>Vocabulary for expressing authorization rules </li></ul></ul><ul><ul><li>Rules: target(s), effect, condition(s) </li></ul></ul><ul><ul><ul><li>Target: resources, subjects, actions </li></ul></ul></ul><ul><ul><ul><li>Effect: allow or deny </li></ul></ul></ul><ul><ul><ul><li>Condition: fairly flexible, dynamically evaluated </li></ul></ul></ul><ul><ul><li>Allows rule aggregation + evaluation sequencing </li></ul></ul><ul><ul><li>Supports policies </li></ul></ul><ul><ul><ul><li>Collections of rules applying to a subject </li></ul></ul></ul>
  11. 11. Web Services Security <ul><li>WS-Security </li></ul><ul><ul><li>XML Signature and XML Encryption for SOAP </li></ul></ul><ul><li>WS-Policy </li></ul><ul><ul><li>Define security capabilities for Web services endpoints and intermediaries </li></ul></ul><ul><li>WS-Privacy </li></ul><ul><ul><li>Privacy preference specification for Web services </li></ul></ul><ul><li>WS-Trust </li></ul><ul><ul><li>Enable trust domain crossing </li></ul></ul>
  12. 12. Web Services Security: More <ul><li>WS-Authorization </li></ul><ul><ul><li>Managing policies about Web services </li></ul></ul><ul><li>WS-Federation </li></ul><ul><ul><li>Federated identity and attribute management </li></ul></ul><ul><li>WS-SecureConversation </li></ul><ul><ul><li>Dynamically establish trust across domains </li></ul></ul>
  13. 13. Other <ul><li>P3P </li></ul><ul><ul><li>Privacy preferences and policy specification </li></ul></ul><ul><ul><li>Mechanism for using policies + preferences </li></ul></ul><ul><li>XrML </li></ul><ul><ul><li>A language and mechanism for expressing rights, terms of use and processing rules </li></ul></ul><ul><ul><li>Some overlap with XACML, unfortunately </li></ul></ul><ul><li>XNS </li></ul><ul><ul><li>Federated identity and trust brokering services </li></ul></ul><ul><ul><li>Secure exchange of identity attributes according to privacy policies and preferences </li></ul></ul>
  14. 14. Timing <ul><li>Complete </li></ul><ul><ul><li>XML Signature, XML Encryption, SAML, XrML, P3P </li></ul></ul><ul><li>In process w/ some implementations </li></ul><ul><ul><li>XKMS, XACML, WS-Security </li></ul></ul><ul><li>Way off </li></ul><ul><ul><li>Everything else </li></ul></ul><ul><li>Furthermore, there are some standards conflicts </li></ul>
  15. 15. Industry Dynamics <ul><li>Industry leaders </li></ul><ul><ul><li>IBM + MS lead the WS-* roadmap </li></ul></ul><ul><li>Standards bodies </li></ul><ul><ul><li>W3C: core XML security standards, XKMS, P3P </li></ul></ul><ul><ul><li>OASIS: SAML, XACML, more… </li></ul></ul><ul><ul><li>WS-I: watch its ability to define interop profiles </li></ul></ul><ul><li>Other players </li></ul><ul><ul><li>Liberty Alliance (?), OneName (XNS), XrML, … </li></ul></ul><ul><ul><li>Will have to work with IBM + MS + W3C/OASIS </li></ul></ul>
  16. 16. Leveraging Standards <ul><li>Determine key customer use cases </li></ul><ul><li>Define own responsibilities </li></ul><ul><ul><li>What standards do they map to? </li></ul></ul><ul><ul><li>Can some capabilities, e.g., document signing or SSO, be exposed as value-add Web services? </li></ul></ul><ul><li>Define interoperability requirements </li></ul><ul><ul><li>What standards govern these? </li></ul></ul><ul><ul><li>Who are the champions to partner with? </li></ul></ul><ul><li>Beware of standards flux </li></ul>

×