View
3.605
Download
2
Category
Tags:
Preview:
DESCRIPTION
Back in the early days of Web services, security was a big deal and even making sense of all the balls up in the air was complicated.
Citation preview
XML & Web Services Security Standards
Simeon SimeonovSimeon Simeonov
Polaris Venture PartnersPolaris Venture Partners
November, 2002November, 2002
Things to Worry About
► Fast moving spaceFast moving space► Evolving customer needsEvolving customer needs
And uncertain timing…And uncertain timing…
► Competing standardsCompeting standards Not all will survive; many will have to changeNot all will survive; many will have to change
► Industry dynamicsIndustry dynamics Some business model uncertaintySome business model uncertainty Not clear where “platforms” endNot clear where “platforms” end
Security Requirements
► AuthenticationAuthentication► AuthorizationAuthorization► IntegrityIntegrity► Non-repudiationNon-repudiation► ConfidentialityConfidentiality► PrivacyPrivacy► Digital Rights ManagementDigital Rights Management
Federated, interoperable, implementation agnostic…Federated, interoperable, implementation agnostic…
General Areas of Standardization
► Core XML SecurityCore XML Security► Basic AAABasic AAA►Web ServicesWeb Services►OtherOther
Lots to Think About
► Core XML SecurityCore XML Security XML Signatures, XML EncryptionXML Signatures, XML Encryption
► Basic AAABasic AAA XKMS, SAML, XACMLXKMS, SAML, XACML
►Web ServicesWeb Services WS-Security, WS-Trust, WS-Policy, WS-Trust, WS-WS-Security, WS-Trust, WS-Policy, WS-Trust, WS-
Privacy, WS-Authorization, WS-Federation, WS-Privacy, WS-Authorization, WS-Federation, WS-SecureConversationSecureConversation
►OtherOther XrML, P3P, XNS, …XrML, P3P, XNS, …
Core XML Security
► XML SignaturesXML Signatures Dig sigs for integrity and non-repudiationDig sigs for integrity and non-repudiation Any content (XML or not)Any content (XML or not) Applies to any portion(s) of XML documentsApplies to any portion(s) of XML documents
► XML EncryptionXML Encryption Content-based encryption for confidentialityContent-based encryption for confidentiality Applies to any portion(s) of XML documentsApplies to any portion(s) of XML documents Any algorithmAny algorithm Symmetric or asymmetric keysSymmetric or asymmetric keys
Basic AAA
► Key managementKey management Automating key management is keyAutomating key management is key XKMS specifies a key management protocolXKMS specifies a key management protocol
► Authentication/AuthorizationAuthentication/Authorization Many different AA mechanismsMany different AA mechanisms SAML allows AA assertions to be madeSAML allows AA assertions to be made
► Policy definitionPolicy definition Federating policies is very difficultFederating policies is very difficult XACML provides a common rules languageXACML provides a common rules language
XKMS
► XML Key Management Service XML Key Management Service Standards-based key management protocolStandards-based key management protocol Secure Web services bindingSecure Web services binding XKRSS: registration service specificationXKRSS: registration service specification
►Bind information to a public key pairBind information to a public key pair
XKISS: information service specificationXKISS: information service specification►Locate keys in a registryLocate keys in a registry►Validate binding of keysValidate binding of keys
SAML
► Security Assertion Markup LanguageSecurity Assertion Markup Language Common mechanism for expressing assertionsCommon mechanism for expressing assertions Authentication: who, when, howAuthentication: who, when, how Authorization: who, what, when, howAuthorization: who, what, when, how EnablesEnables
►SSOSSO►Separates AA from management and policy Separates AA from management and policy
enforcementenforcement
Request-response protocolRequest-response protocol►With SOAP bindingWith SOAP binding
XACML
► XML Access Control Markup LanguageXML Access Control Markup Language Vocabulary for expressing authorization rulesVocabulary for expressing authorization rules Rules: target(s), effect, condition(s)Rules: target(s), effect, condition(s)
►Target: resources, subjects, actionsTarget: resources, subjects, actions►Effect: allow or denyEffect: allow or deny►Condition: fairly flexible, dynamically evaluatedCondition: fairly flexible, dynamically evaluated
Allows rule aggregation + evaluation sequencingAllows rule aggregation + evaluation sequencing Supports policiesSupports policies
►Collections of rules applying to a subjectCollections of rules applying to a subject
Web Services Security
►WS-SecurityWS-Security XML Signature and XML Encryption for SOAPXML Signature and XML Encryption for SOAP
►WS-PolicyWS-Policy Define security capabilities for Web services Define security capabilities for Web services
endpoints and intermediariesendpoints and intermediaries
►WS-PrivacyWS-Privacy Privacy preference specification for Web servicesPrivacy preference specification for Web services
►WS-TrustWS-Trust Enable trust domain crossingEnable trust domain crossing
Web Services Security: More
►WS-AuthorizationWS-Authorization Managing policies about Web servicesManaging policies about Web services
►WS-FederationWS-Federation Federated identity and attribute managementFederated identity and attribute management
►WS-SecureConversationWS-SecureConversation Dynamically establish trust across domainsDynamically establish trust across domains
Other
► P3PP3P Privacy preferences and policy specificationPrivacy preferences and policy specification Mechanism for using policies + preferencesMechanism for using policies + preferences
► XrMLXrML A language and mechanism for expressing rights, A language and mechanism for expressing rights,
terms of use and processing rulesterms of use and processing rules Some overlap with XACML, unfortunatelySome overlap with XACML, unfortunately
► XNSXNS Federated identity and trust brokering servicesFederated identity and trust brokering services Secure exchange of identity attributes according Secure exchange of identity attributes according
to privacy policies and preferencesto privacy policies and preferences
Timing
► CompleteComplete XML Signature, XML Encryption, SAML, XrML, P3PXML Signature, XML Encryption, SAML, XrML, P3P
► In process w/ some implementationsIn process w/ some implementations XKMS, XACML, WS-SecurityXKMS, XACML, WS-Security
►Way offWay off Everything elseEverything else
Furthermore, there are some standards conflictsFurthermore, there are some standards conflicts
Industry Dynamics
► Industry leadersIndustry leaders IBM + MS lead the WS-* roadmapIBM + MS lead the WS-* roadmap
► Standards bodiesStandards bodies W3C: core XML security standards, XKMS, P3PW3C: core XML security standards, XKMS, P3P OASIS: SAML, XACML, more…OASIS: SAML, XACML, more… WS-I: watch its ability to define interop profilesWS-I: watch its ability to define interop profiles
►Other playersOther players Liberty Alliance (?), OneName (XNS), XrML, …Liberty Alliance (?), OneName (XNS), XrML, … Will have to work with IBM + MS + W3C/OASISWill have to work with IBM + MS + W3C/OASIS
Leveraging Standards
►Determine key customer use casesDetermine key customer use cases►Define own responsibilitiesDefine own responsibilities
What standards do they map to?What standards do they map to? Can some capabilities, e.g., document signing or Can some capabilities, e.g., document signing or
SSO, be exposed as value-add Web services?SSO, be exposed as value-add Web services?
►Define interoperability requirementsDefine interoperability requirements What standards govern these?What standards govern these? Who are the champions to partner with?Who are the champions to partner with?
► Beware of standards fluxBeware of standards flux
Recommended