HomeSecurity Page 9 - Basic Concepts of Web Services Security
Footnotes - Security
Today we cover the basics of Web services and information security and the way Web services security builds on existing security technology. This is chapter 1 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, Sams, 2004).
SOAP used to stand for Simple Object Access Protocol, but in the W3C SOAP 1.2 specification, SOAP is now just a name and is no longer an acronym. The reason for the change is that the W3C realized that SOAP is neither especially simple, nor is it related to objects in any way.
Most authors consider the base set of Web services standards to include UDDI as well as SOAP and WSDL. UDDI stands for Universal Description, Discovery, and Integration. Advertising Web services so that systems can automatically discover them sounds like a good idea, but we don't believe it is practical for the public Internet. Instead, we view UDDI as a powerful mechanism to be used inside larger organizations to promote reuse of shared services. So, although we do view it as a useful standard, we don't view it as part of the core set of things that define Web services.
In an SOA, UDDI will have a strong, meaningful role.
Recommended text on cryptography: Applied Cryptography by Bruce Schneier (John Wiley & Sons, 1996).
5. The terms shared key, secret key, and symmetric key are used interchangeably in various texts. To be consistent in this book, we choose to use the term shared key throughout, but occasionally context requires we also use the term symmetric key.
"Almost unique" because, like door locks, there is not an absolute certainty that two keys are unique. But the chances of two keys being the same is infinitesimally small, just as is the chance that your key will happen to open a neighbor's door lock.
On the Web, for example, message integrity is not required and not possible. You request HTML documents from Web sites and assume you are getting what was sent; because the risks of a bit or a word or even the entire document having been modified is low, you don't worry about message integrity. When the message is a patient record, a purchase order, or a contract, as you expect Web services to carry, you care a lot about integrity.