W3C
Web Services Architecture
Security Discussion
Kick-Off
|
|
|
Abbie Barbir, Ph.D. |
|
abbieb@nortelnetworks.com |
|
Nortel Networks |
|
Agenda
|
|
|
Web Services Security Requirements |
|
Brief Review of Web Services Security
Work |
|
Discussion |
|
Next Steps |
|
Web Services Security Requirements
|
Web Services in a Nutshell
|
TLS/SSL Protocol
|
Web Services Security Resources
|
|
|
|
|
|
Security Assertion Markup Language
(SAML) |
|
An XML based framework for exchanging
security information |
|
Enables disparate security services
systems to interoperate |
|
A set of specifications that define its
components: |
|
Assertions and request/response
protocols |
|
An assertion is a declaration of fact
about a subject |
|
user , based on an assertion issuer |
|
SAML has three kinds, all related to
security: |
|
Authentication ; Attribute ;
Authorization decision |
|
Assertions can be digitally signed |
|
SAML: Single Sign On (SSO)
|
Web Services Security Resources
|
|
|
|
XML Key Management Specification
(XKMS) |
|
Integrating PKI with Web Services |
|
Shield applications from the complexity
of PKI |
|
Delegate details of digital certificate
processing to a separate Web service. |
|
Protocols for distributing and
registering public keys |
|
XML Key Information Service
Specification (X-KISS) |
|
Application delegates, to a service, the
processing of Key Information associated with an XML signature, XML
encryption, or other public key |
|
XML Key Registration Service
Specification (X-KRSS) |
|
Protocol for registration of a key pair
by a key pair holder, with the intent that the key pair
subsequently is usable in conjunction with X-KISS. |
|
Web Services Security Resources
|
|
|
|
|
XACML: Communicating Policy
Information |
|
XML Access Control Markup Language
(XACML) |
|
Closely related to SAML |
|
How policy information related to access
control is expressed and transferred |
|
Rules that defines what Web services can
exercise or what it can access |
|
Privileges for which XML documents |
|
For example, a healthcare provider can
specify which portions of a patient's Medical record could be
exposed to appropriate parties |
|
Web Services Security Resources
|
|
|
Message Integrity and
Confidentiality |
|
XML-Signature / XML-Encryption |
|
Provide mechanisms for handling whole or
partial documents |
|
Address varying requirements for access
authority, confidentiality and data integrity within one
document |
|
Need XML Canonical Form |
|
Some thoughts about SOAP
|
|
|
|
|
|
SOAP is an intrinsically complex
specification |
|
SOAP can easily pass through
firewalls |
|
Moves security issues and protocol
developments into the hands of the software developers |
|
May not have the proper training or
background |
|
Firewalls may need to do XML parsing to
recognize SOAP |
|
Cannot easily do pattern
recognition |
|
Example, various ways of encoding binary
data |
|
Any method could be a read method or a
write method |
|
Harder to track actions or do action
filtering |
|
In Web Services a single URI can be a
SOAP endpoint that is used for many resources |
|
Slide 12
|
"Discussion"
|