WSI Overview Presentation

1
Enabling Interoperable Secure Web Services
Bret Hartman, DataPower Technology October, 2004
2
THE CONTEXT

• The shift to Web services is underway
• An Internet-native distributed computing model
  based on XML standards has emerged
• Early implementations are solving problems today
  and generating new requirements
• The Web services standards stack is increasing in
  size and complexity to meet these requirements
• The fundamental characteristic of Web services is
  interoperability

3
WHAT IS NEEDED?

• Guidance
• A common definition for Web services
• Implementation guidance and support for Web
  services adoption
• Interoperability
• Across platforms, applications, and languages
• Consistent, reliable interoperability between Web
  services technologies from multiple vendors
• A standards integrator to help Web services
  advance in a structured, coherent manner

4
ABOUT WS-I

• An open industry effort chartered to promote Web
  Services interoperability across platforms,
  applications and programming languages.
• A standards integrator to help Web services
  advance in a structured, coherent manner
• Approximately 150 member organizations
• 70 vendors, 30 end-user organizations
• 80 North America with active worldwide
  membership

5
WS-I GOALS

• Achieve Web services interoperability
• Integrate specifications
• Promote consistent implementations
• Provide a visible representation of conformance
• Accelerate Web services deployment
• Offer implementation guidance and best practices
• Deliver tools and sample applications
• Provide a implementers forum where developers
  can collaborate
• Encourage Web services adoption
• Build industry consensus to reduce early adopter
  risks
• Provide a forum for end users to communicate
  requirements
• Raise awareness of customer business requirements

6
WS-I, STANDARDS, AND INDUSTRY
Standards, Specifications
Requirements
Implementation Guidance
Requirements
Businesses, Industry Consortia, Developers, End
Users
7
WORKING GROUPS

• Basic Profiles
• Addresses the core set of specifications (e.g.,
  SOAP, WSDL, UDDI, attachments, etc.) that provide
  the foundation for Web services
• Basic Security Profile
• Addresses transport security, SOAP messaging
  security, and other security considerations
• Requirements Gathering
• Captures business requirements to drive future
  profile selection
• Sample Applications
• Illustrate best practices for implementations on
  multiple vendor platforms
• Testing Tools and Materials
• Develops self-administered tests to verify
  conformance with WS-I profiles

8
MILESTONES BASIC PROFILES

• Basic Profile 1.0
• Delivered Basic Profile 1.0, and associated
  sample applications and test tools as Final
  Material
• Provides interoperability guidance for core Web
  services specifications such as SOAP, WSDL, and
  UDDI.
• Conventions around messaging, description and
  discovery
• Basic Profile 1.1
• Derived from the Basic Profile 1.0 incorporating
  any errata to date and separating out
  requirements related to the serialization of
  envelopes and their representation in messages
• Attachments Profile 1.0
• Complements Basic Profile 1.1 to add support for
  interoperable SOAP messages with attachments
• Simple SOAP Binding Profile 1.0
• Derived from those Basic Profile 1.0 requirements
  related to the serialization of the envelope and
  its representation in the message, incorporating
  any errata to date

9
CURRENT WORK BASIC SECURITY PROFILE

• Security Scenarios
• Identifies security challenges and threats in
  building interoperable Web services and
  countermeasures for these risks
• Basic Security Profile
• Addresses transport security, SOAP messaging
  security and other security considerations
• References existing specifications used to
  provide security, including the OASIS Web
  Services Security 1.0 specification
• HTTP over TLS
• SOAP with Attachments
• WS-Security with Username and X.509 token
  profiles
• Kerberos, SAML, and REL (XRML) Token Profiles are
  being considered

10
WS-I BASIC SECURITY PROFILE (BSP) 1.0

• Methodology
• Reviewed WSS Documents (WSS core, username,
  X.509)
• Comments to WSS TC
• Generated potential profiling points (captured as
  issues)
• Reviewed underlying documents
• IETF RFCs covering TLS
• XML Signature, XML Encryption
• Identified potential profiling points by looking
  for anything other than MUST (e.g. options in
  specifications)

11
TESTING RESOURCES

• Web Services Communication Monitor
• Captures messages exchanged between Web services
  and the software that invokes them and stores the
  messages for later analysis
• Web Services Profile Analyzer
• Evaluates messages captured by Monitor
• Validates the description and registration
  artifacts of the Web service
• Output of Analyzer tool can be used as the basis
  for WS-I conformance claims
• Tools can be used by any Web services developer
• Source code is available

12
USE OF DELIVERABLES

• The public is free (and encouraged) to
• Download, use, and display the Basic Profiles
• Download and use test tools and material to test
  their applications
• Download, use, modify, and redistribute WS-I
  sample applications
• Adopters may (in addition to the above)
• Reproduce and redistribute specifications with
  their products
• Members may (in addition to all of the above)
• Ship test tools and material (as is or modified)
  within their products

13
CONFORMANCE

• Logo represents a claim that the product or
  service can pass the required tests using the
  WS-I Test Tools
• Reports generated by the tools must be made
  publicly available
• WS-I logo is a label for customers to look for
• Enforcement is market driven
• Expected review by competitors and trade media
• Use must reference specific profile
• WS-I logo on a companys Web site must link to
  the specific profile to which conformance is
  claimed
• For shipped products, the specific profile must
  be referenced in documentation (e.g. ReadMe file)

14
TESTING AND DEMONSTRATING BSP 1.0

• How to test Basic Security Profile 1.0?
• BP 1.0 Testing Tools used a man in the middle
  testing strategy
• Will this work for BSP 1.0 since one of its
  objectives is to stop man in the middle attacks?
• What level does the testing take place at?
• Highest level message syntax?
• After parts of the message have been decrypted?
• BSP sample applications and usage scenarios
• Based on sample application for BP 1.0 adding
  security aspects

15
QUESTIONS

• Later
• mailtobhartman_at_datapower.com
• WS-I documents available at http//www.ws-i.org/do
  cuments.aspx include
• Basic Profiles
• Security Scenarios and Basic Security Profile
• Usage Scenarios
• Test Assertion Documents
• WS-I software tools available at
  http//www.ws-i.org/implementation.aspx include
• Monitor and Analyzer Tools in C and Java
• Supply Chain Sample application for 10 major
  application platforms
• Thanks to WS-I for much of the material in this
  presentation