Home arrow Security arrow Page 9 - Trust, Access Control, and Rights for Web Services, Part 2

Summary - Security

Web services themselves provide a powerful new approach to PKI that prevents each Web service requestor and provider from having to build their own PKI: accessing a trusted PKI as a service. XKMS aims to do just that. This is part 2 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

  1. Trust, Access Control, and Rights for Web Services, Part 2
  2. The XKMS Services
  3. X-KRSS
  4. eXtensible Access Control Markup Language (XACML) Specification
  5. The XACML Data Model
  6. XACML Policy Example
  7. eXtensible Rights Markup Language (XrML) Management Specification
  8. XrML Use Case Example
  9. Summary
By: Sams Publishing
Rating: starstarstarstarstar / 6
October 12, 2004

print this article



This chapter augmented the chapters on WS-Security and WS-Policy by covering the rest of the WS-Security family. We presented a conceptual model of a triangle of security; this model is addressed by a set of standards that builds on what we have developed to this point in the book. The apexes of the triangle are trust, interoperability, and integration.

The WS-* security specifications for trust relationships include WS-Trust and WS-Privacy. WS-Trust has a request/response protocol utilizing <RequestSecurityToken> and <RequestSecurityTokenResponse>, which are designed to allow a Web service requestor to obtain a security token to be used in WS-Security to project trust as it requests service from a Web service provider. WS-Privacy establishes a set of policies that will be enforced on Web service endpoints when dealing with personally identifiable information about human participants.

The WS-* security specifications for interoperability include WS-Policy and WS-SecureConversation. WS-Policy is itself a family of related specifications, which, in addition to WS-Policy, include WS-PolicyAssertions and WS-PolicyAttachments. WS-Policy is a framework to describe and communicate the policies of a Web service. WS-PolicyAssertions describe policy assertions that can be specified within a policy. WS-PolicyAttachment specifies three specific attachment mechanisms for using policy expression within Web services.

The WS-* security specifications for integration include WS-Federation and WS-Authorization. WS-Federation deals with the issues when one entity with one trust model wants to use a Web service to communicate with a different entity with a different trust model. One might be using Kerberos, while the other uses X.509. Understanding federation will be important both because business-to-business Web services will provide a significant source of overall business productivity improvements and because major initiatives such as Passport and Liberty Alliance are based on the concept of federated identity.

Beyond the WS-* family of specification is a small set of vitally important Web services security specifications you need to learn and track. The XML Key Management Specification (XKMS) is one of them. It will be the way PKI is leveraged and becomes truly ubiquitous because it allows PKI to operate as a trusted Web service. XKMS specifies an X-KISS protocol for Locate and Validate operations on keys. It uses the X-KRSS protocol for registration, revocation, and recovery of keys.

The specification for XML Access Control is XACML. XACML is complicated and will probably become buried in development tools but is important because it allows fine-grained control over access to all sorts of resources from Web services.

The XML Rights Management Specification is XrML, which provides a rich digital rights management specification in XML for XML.

  1. IBM Corporation and Microsoft Corporation. ³Security in a Web Services World: A Proposed Architecture and Roadmap.² April 7, 2002. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp

  2. The P3P specification is available at http://www.w3.org/TR/P3P/. One of this book's authors, Dave Remy, was a contributor to this specification.

  3. The WS-SecureConversation specification is available at http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnglobspec/html/WS-secureconversation.asp.

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.

>>> More Security Articles          >>> More By Sams Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates


Dev Shed Tutorial Topics: