- From: Anne Thomas Manes <anne@manes.net>
- Date: Fri, 8 Mar 2002 09:32:02 -0500
- To: "Naresh Agarwal" <nagarwal@in.firstrain.com>, <www-ws@w3.org>
Naresh, Systinet WASP provides a comprehensive security framework. (See our documentation for more information: http://www.systinet.com/products/wasp_advanced/doc/security_overview.html http://www.systinet.com/products/wasp_advanced/doc/programmers_guide.html (Section 4) WASP supports SSL-based security over HTTPS. It also supports transport-independent end-to-end security using GSS-API. It supports both W3C SOAP DSIG and Microsoft's WS-Security convention. (See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/ html/ws-security.asp.) XKMS provides a simple abstraction layer that makes it much simpler to obtain and manage encryption keys in a PKI environment. Encryption keys are used in all aspects of security. They are used to encrypt and decrypt data to ensure privacy, confidentiality, and data integrity. They are used to prove identity (authentication) and as proof of source (non-repudiation). They are used to digitally sign data. (Note that XKMS doesn't perform the actual security functions -- it just helps you manage your keys.) Other security related standards that you should watch are: W3C XML Encryption - encrypting XML (See http://www.w3.org/Encryption/2001/) OASIS SAML (Security Assertions Markup Language) - This spec defines an XML protocol that can be used to exchange security information. You can specify authentication information, authorization information, and attributes or qualifications of authorization information. (See http://www.oasis-open.org/committees/security/). OASIS XACML (Extensible Access Control Markup Language) - This spec provides a mechanism to express access control policies in XML. (See http://www.oasis-open.org/committees/xacml/). RFC2743 GSS-API (Generic Security Service API) - This API provides a generic API that can be used to access security services implemented through a variety of security mechanisms (e.g., PKI, Kerberos, etc.) (See http://www.rfc-editor.org/rfc/rfc2743.txt RFC2025 SPKM (Simple Public Key GSS-API Mechanism) - maps GSS-API to PKI. (See http://www.rfc-editor.org/rfc/rfc2025.txt) RFC1964 (Kerberos V5 GSS-API Mechanism) - maps GSS-API to Kerberos V5. (See ftp://ftp.isi.edu/in-notes/rfc1964.txt) Best regards, Anne Thomas Manes CTO, Systinet > -----Original Message----- > From: www-ws-request@w3.org [mailto:www-ws-request@w3.org]On Behalf Of > Naresh Agarwal > Sent: Friday, March 08, 2002 6:19 AM > To: www-ws@w3.org > Subject: Security Issues in Web-Services > > > Hi > > Following encapsulated all the security-related issue, which any > protocol should address to.. > > a) Privacy > b) Authntication > c) Integrity > d) Non-repudiation > e) Access Control (Authorization) > > > I have some questions about these in the context of SOAP and > Web-Services. > > 1) What is the status of XKMS, and which of above mentioned issues it > would address? Also which soap implementations currently support XKMS? > > 2) What is the status of SOAP-Dsig., and which of the above mentioned > issues it would address? Also which soap implementations currently > support SOAP-DSig. > > 3) Are there any other upcoming standards, which would address the > above mentiones issues? > > 4) Most SOAP implementation use HTTP as transport protocol and hence > can not use TLS. Is there any soap implementation, which supports HTTPS? > > 5) Assuming that the standards like XKMS, SOAP-Dsig. etc would take > some time to get mature, what is the way to address above mentioned > issue in SOAP without using these standards? > > > thanks, > > regards, > Naresh Agarwal > >
Received on Friday, 8 March 2002 09:32:13 UTC