HomeSecurity Page 9 - Trust, Access Control, and Rights for Web Services, Part 2
Summary - Security
Web services themselves provide a powerful new approach to PKI that prevents each Web service requestor and provider from having to build their own PKI: accessing a trusted PKI as a service. XKMS aims to do just that. This is part 2 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).
This chapter augmented the chapters on WS-Security and WS-Policy by covering the rest of the WS-Security family. We presented a conceptual model of a triangle of security; this model is addressed by a set of standards that builds on what we have developed to this point in the book. The apexes of the triangle are trust, interoperability, and integration.
The WS-* security specifications for trust relationships include WS-Trust and WS-Privacy. WS-Trust has a request/response protocol utilizing <RequestSecurityToken> and <RequestSecurityTokenResponse>, which are designed to allow a Web service requestor to obtain a security token to be used in WS-Security to project trust as it requests service from a Web service provider. WS-Privacy establishes a set of policies that will be enforced on Web service endpoints when dealing with personally identifiable information about human participants.
The WS-* security specifications for interoperability include WS-Policy and WS-SecureConversation. WS-Policy is itself a family of related specifications, which, in addition to WS-Policy, include WS-PolicyAssertions and WS-PolicyAttachments. WS-Policy is a framework to describe and communicate the policies of a Web service. WS-PolicyAssertions describe policy assertions that can be specified within a policy. WS-PolicyAttachment specifies three specific attachment mechanisms for using policy expression within Web services.
The WS-* security specifications for integration include WS-Federation and WS-Authorization. WS-Federation deals with the issues when one entity with one trust model wants to use a Web service to communicate with a different entity with a different trust model. One might be using Kerberos, while the other uses X.509. Understanding federation will be important both because business-to-business Web services will provide a significant source of overall business productivity improvements and because major initiatives such as Passport and Liberty Alliance are based on the concept of federated identity.
Beyond the WS-* family of specification is a small set of vitally important Web services security specifications you need to learn and track. The XML Key Management Specification (XKMS) is one of them. It will be the way PKI is leveraged and becomes truly ubiquitous because it allows PKI to operate as a trusted Web service. XKMS specifies an X-KISS protocol for Locate and Validate operations on keys. It uses the X-KRSS protocol for registration, revocation, and recovery of keys.
The specification for XML Access Control is XACML. XACML is complicated and will probably become buried in development tools but is important because it allows fine-grained control over access to all sorts of resources from Web services.
The XML Rights Management Specification is XrML, which provides a rich digital rights management specification in XML for XML.