W3C home > Mailing lists > Public > www-ws@w3.org > March 2002

RE: Security Issues in Web-Services

From: Anne Thomas Manes <anne@manes.net>
Date: Fri, 8 Mar 2002 09:32:02 -0500
To: "Naresh Agarwal" <nagarwal@in.firstrain.com>, <www-ws@w3.org>
Message-ID: <CJEIKEMEBAONGDDNLEKFOENADNAA.anne@manes.net>
Naresh,

Systinet WASP provides a comprehensive security framework. (See our
documentation for more information:
http://www.systinet.com/products/wasp_advanced/doc/security_overview.html
http://www.systinet.com/products/wasp_advanced/doc/programmers_guide.html
(Section 4)

WASP supports SSL-based security over HTTPS. It also supports
transport-independent end-to-end security using GSS-API. It supports both
W3C SOAP DSIG and Microsoft's WS-Security convention. (See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/
html/ws-security.asp.)

XKMS provides a simple abstraction layer that makes it much simpler to
obtain and manage encryption keys in a PKI environment. Encryption keys are
used in all aspects of security. They are used to encrypt and decrypt data
to ensure privacy, confidentiality, and data integrity. They are used to
prove identity (authentication) and as proof of source (non-repudiation).
They are used to digitally sign data. (Note that XKMS doesn't perform the
actual security functions -- it just helps you manage your keys.)

Other security related standards that you should watch are:

W3C XML Encryption - encrypting XML (See http://www.w3.org/Encryption/2001/)

OASIS SAML (Security Assertions Markup Language) - This spec defines an XML
protocol that can be used to exchange security information. You can specify
authentication information, authorization information, and attributes or
qualifications of authorization information.
(See http://www.oasis-open.org/committees/security/).

OASIS XACML (Extensible Access Control Markup Language) - This spec provides
a mechanism to express access control policies in XML.
(See http://www.oasis-open.org/committees/xacml/).

RFC2743 GSS-API (Generic Security Service API) - This API provides a generic
API that can be used to access security services implemented through a
variety of security mechanisms (e.g., PKI, Kerberos, etc.)
(See http://www.rfc-editor.org/rfc/rfc2743.txt

RFC2025 SPKM (Simple Public Key GSS-API Mechanism) - maps GSS-API to PKI.
(See http://www.rfc-editor.org/rfc/rfc2025.txt)

RFC1964 (Kerberos V5 GSS-API Mechanism) - maps GSS-API to Kerberos V5.
(See ftp://ftp.isi.edu/in-notes/rfc1964.txt)

Best regards,

Anne Thomas Manes
CTO, Systinet

> -----Original Message-----
> From: www-ws-request@w3.org [mailto:www-ws-request@w3.org]On Behalf Of
> Naresh Agarwal
> Sent: Friday, March 08, 2002 6:19 AM
> To: www-ws@w3.org
> Subject: Security Issues in Web-Services
>
>
> Hi
>
> Following encapsulated all the security-related issue, which any
> protocol should address to..
>
> a) Privacy
> b) Authntication
> c) Integrity
> d) Non-repudiation
> e) Access Control (Authorization)
>
>
> I have some questions about these in the context of SOAP and
> Web-Services.
>
> 1)  What is the status of XKMS, and which of above mentioned issues it
> would  address?  Also which soap implementations currently support XKMS?
>
> 2)  What is the status of SOAP-Dsig., and which of the above mentioned
> issues it would address? Also which soap implementations currently
> support SOAP-DSig.
>
> 3)  Are there any other upcoming standards, which would address the
> above mentiones issues?
>
> 4)  Most SOAP implementation use HTTP as transport protocol and hence
> can not use TLS. Is there any soap implementation, which supports HTTPS?
>
> 5)  Assuming that the standards like XKMS, SOAP-Dsig. etc would take
> some time to get mature, what is the way to address above mentioned
> issue in SOAP without using these standards?
>
>
> thanks,
>
> regards,
> Naresh Agarwal
>
>
Received on Friday, 8 March 2002 09:32:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:25:40 GMT