The challenges for security were most clearly echoed by members of the business community, including representatives from Lexis-Nexis representing the publishing industry, Boeing, representing the Manufacturing Industry, Niteo, representing the financial industry, and a representative from the federal government. These industry representatives discussed actual Web services security challenges that are being encountered in their respective industries; including interoperability, lack of sufficiently detailed specifications, overlap and redundancy among specifications, and a high total-cost-of-implementation. In fact they didn't stop with security. Everyone talked about how difficult it was to get funding for new projects that don't have a very clear ROI in this tight economy. What was enlightening from these discussions was how similar their problems and requirements seemed to be. On the whole, these representatives thought that the Security specifications were moving in the right direction and addressing the right problems, but that they still had a way to go to be practically applicable.


The security session continued with presenters from diverse parts of the industry talking on a dizzying array of security-related specifications. Joseph Reagle from the W3C presented on the status and design of XML Signature (http://www.w3.org/Signature/) and XML Encryption (http://www.w3.org/Encryption/2001/), both of which are key foundational technologies for most higher-level Web services security standards. Kelvin Lawrence from IBM and Chris Kaler from Microsoft presented the WS-Security specification that has been recently submitted to OASIS, including discussions of the foundational technologies for the specification, like: token-based authentication protocols like X509, Kerberos, and SAML; XML Encryption and XML Signature; and new SOAP extensions to support security, such the Security header, UserNameToken, SecurityTokenReference, and BinarySecurityToken elements. Prateek Mishra, from Netegrity, gave an introductory talk on SAML, the authentication and authorization technology set that the Liberty Alliance uses, as well as briefly touching on the SPML (Service Provisioning Markup Language) and XCBF (Common Biometric Format) specifications. For those of us interested in how the WS- Security specification will work with existing authentication protocols, the WS-Security Profile of the Security Assertion Markup Language (SAML), that can be found at http://www.oasis-open.org/committees/security/#documents will prove to be an interesting read.

It's all a matter of trust

The security session saw a lively speaker from Harvard, Scott Bradner, representing the venerable Internet Engineering Task Force (IETF), who gave a refreshingly frank talk on the problems the IETF is having with coming up with good security standards. He addressed the group's reluctance to embrace the need for good security standards for web services in the coming year or so and the problems of distributing trusted keys, namely who could possible distribute enough keys to make the internet secure, and which group would be trusted enough to be such a distributor? He also addressed the fact that although the government and big companies may want better solutions for security, there is a general feeling that users don't care that much about security, especially not enough to pay for security services.

In his experience, security solutions need to be practical, and a lot of times, the folks in charge of security standards tend to be idealistic. Therefore, the compromise is usually insufficient security. "Right now," said Bradner, "it's an exception when good security happens, not the rule." Dr. Hallam-Baker, the veteran of the security industry, while speaking on in XML Key Management specification (XKMS) shared a poignant insight that "security is about risk control, not risk elimination." This is a great thing to keep in mind when you are developing Web services.

Know your rights

The conference saw Hal Lockhard, of Entegrity Solutions, talking about XACML (http://www.oasis-open.org/committees/xacml/) and Rights Language (XrML) (http://www.xrml.org/). Both standards deal with authorization and authentication, share many core concepts, and specify XML schemas. However, some attendees worried openly about there being too much overlap between these two standards and their not being thought through well enough, which may cause problems in the long run.

Full article and source:

WebServices.org