Alignment with emerging Web Service Standards

1
Alignment with emerging Web Service Standards
2
Web Service Standards Stack
3
Web Service Standards Stack
4
Stateful Web Services

• Port References (comments in WS-Coordination)
  Ability to dynamically refer to ports for
  targeted invocations
• Context (comments in WS-Coordination) ability
  to supply stateful information for return with
  later invocations.
• Service Instances (examples include Borland at
  http//www.systinet.com/doc/wasp_developer_jb/adva
  nced/statefulWebServices.htmladvancedTopics.state
  fulWebServices.mechanism, BPEL and OGSI efforts)
  ability to return a reference to a new instance
  which can be resupplied on later invocations
• gt Mechanisms for Producers exposing portlet
  instances at runtime should align with these.

5
Web Service Standards Stack
6
Web Service Security

• Broad set of specifications that cover
• Authentication
• Authorization
• Privacy
• Trust
• Integrity
• Confidentiality
• Secure communication channels
• Federation
• Delegation
• Auditing
• Framework builds upon
• Soap
• WSDL
• XML Digital Signatures
• XML Encryption
• SSL/TLS

7
Web Service Security Layers
8
SOAP/XML Foundations

• SSL/TLS Current means to exchange messages at
  various levels of security
• XML Digital Signatures Sign portions of an
  document relative to authentication and
  non-repudiation
• XML Encryption Using ciphers to make portions
  of a document unavailable to 3rd parties

9
SOAP/XML Foundations

• SAML Markup language for exchanging security
  related assertions about a document, its source
  and recipients.
• XACML Exchanging access control information
  using SAML.
• XCBF - Defining secure XML encodings for the
  Common Biometric Exchange File Formats (NISTIR
  6529).
• XrML Rights markup language
• (see http//www.oasis-open.org/committees/securit
  y-jc/)

10
WS Security Model Terminology

• Web Service - Application components whose
  functionality and interfaces are exposed through
  XML, SOAP and WSDL
• (Signed) Security Token - A security token that
  is asserted (and cryptographically endorsed) by a
  specific authority
• Claim - A statement a client makes (e.g. name,
  identity, key, group, privilege, capability,
  etc).
• Claim Requirements - Requirements for the claims
  a client makes with an invocation to the Web
  Service.
• Subject - A principal (e.g. a person) about which
  the claims expressed in the security token apply

11
WS Security Model Terminology

• Subject - A principal (e.g. a person) about which
  the claims expressed in the security token apply
• Proof-of-Possession - Used to demonstrate the
  sender's knowledge of information that SHOULD
  only be known to the sender of a security token.
• Intermediaries - Parties that perform actions
  such as routing a SOAP message or even modifying
  the message. For example, an intermediary may add
  headers, encrypt or decrypt pieces of the
  message, or add additional security tokens.
• Actor - An intermediary or SOAP endpoint which is
  identified by a URI and which processes a SOAP
  message.

12
WS Security Model

• Todays technologies offer network and transport
  layer security
• IPsec, SSL, TLS
• SOAP message model operates on logical endpoints,
  often via multi-hop with intermediaries
• Need for SOAP message-level end-to-end security

Security Context
Requestor
Intermediary
Web Service
13
WS Security Token Service Model

• Web Service requires a set of claims
• If message arrives without needed claims -gt
  reject or ignore message
• Requestor send proof of claims by associating
  security tokens with message
• Security tokens may be obtained from security
  token services (Web Services)

Security Token
Claims
Claims
Security Token Service
Policy
Policy
Policy
Requestor
Web Service
Security Token
Security Token
Claims
Claims
Claims
Claims
14
WS-Security

• Describes SOAP header enhancements to provide
  message integrity and confidentiality
• By leveraging XML Signature and XML Encryption
• Provides general purpose mechanism to attach
  security tokens to messages
• No specific type of security token mandated
• Support for multiple security token formats
• Support for specifying binary security tokens
  like X.509 certificates or kerberos tickets
• Specifies encoding for binary security tokens,
  especially X.509 certificates and Kerberos
  tickets
• Working Draft 8 - 12/12/2002
• See http//msdn.microsoft.com/library/default.asp?
  url/library/en-us/dnwssecur/html/securitywhitepap
  er.asp

15
WS-Policy

• Framework for web services to specify their
  requirements and capabilities
• Defines
• Header element for carrying domain-specific
  policy declarations
• Operators for combining policies
• Connecting policies to their targets
• See ftp//www6.software.ibm.com/software/developer
  /library/ws-policy.pdf
• Public draft 12/18/02

PolicyAttachments
Federation
SecurityPolicy
PolicyAssertions
Trust
SecureConversation
Authorization
Policy
Privacy
XML Token Profile
WS-Security
SOAP/XML Foundation
16
WS-PolicyAssertions

• Defines basic assertions needed to enable Web
  services applications
• TextEncoding what character sets are supported
• Language what locales are supported (xmllang)
• SpecVersion
• MessagePredicate preconditions for an
  invocation
• See http//www.verisign.com/wss/WS-PolicyAssertion
  s.pdf
• Public draft - 12/18/02

PolicyAttachments
Federation
SecurityPolicy
PolicyAssertions
Trust
SecureConversation
Authorization
Policy
Privacy
XML Token Profile
WS-Security
SOAP/XML Foundation
17
WS-SecurityPolicy

• Defines extensions to WS-Policy for describing
  the security properties of a Web Service
• Policy Assertions
• Security Token requirements
• Encoding formats
• Supported algorithms
• See http//msdn.microsoft.com/webservices/default.
  aspx?pull/library/en-us/dnglobspec/html/ws-securi
  typolicy.asp
• Public draft - 12/18/02

PolicyAttachments
Federation
SecurityPolicy
PolicyAssertions
Trust
SecureConversation
Authorization
Policy
Privacy
XML Token Profile
WS-Security
SOAP/XML Foundation
18
WS-PolicyAttachments

• Defines how policies are attached to existing XML
  Web service technologies.
• To specific documents elements may use an
  attribute to point at policy statements
• To WSDL definitions defines how these policy
  attributes are interpreted for WSDL definitions
• To UDDI entities tModel defined for declaring
  service uses policy declarations
• See ftp//www6.software.ibm.com/software/developer
  /library/ws-policyattachment.pdf
• Public draft - 12/18/02

PolicyAttachments
Federation
SecurityPolicy
PolicyAssertions
Trust
SecureConversation
Authorization
Policy
Privacy
XML Token Profile
WS-Security
SOAP/XML Foundation
19
WS-Trust

• Describes model on how to establish trust
  relationships
• Direct
• Brokered
• Via third parties and intermediaries
• Defines Security Token Service (Web Service)
• Request/obtain security tokens
• Validate security tokens
• Trust Management (non-normative)
• Fixed trust roots
• Trust hierarchies
• Authentication service
• See http//www.verisign.com/wss/WS-Trust.pdf
• Public draft - 12/18/02

PolicyAttachments
Federation
SecurityPolicy
PolicyAssertions
Trust
SecureConversation
Authorization
Policy
Privacy
XML Token Profile
WS-Security
SOAP/XML Foundation
20
WS-SecureConversation

• Describes how to
• Authenticate requestor
• Authenticate services
• Establish mutually authenticated security context
• Establish session keys
• Derived keys
• Per-message keys
• See http//www.rsasecurity.com/solutions/web-servi
  ces/specifications/WS-SecureConversation.pdf
• Public draft - 12/18/02

PolicyAttachments
Federation
SecurityPolicy
PolicyAssertions
Trust
SecureConversation
Authorization
Policy
Privacy
XML Token Profile
WS-Security
SOAP/XML Foundation
21
WS-Security Profile for XML-based Tokens

• Defines a framework for using XML-based security
  tokens with WS-Security
• SAML binding
• XrML binding
• See http//www-106.ibm.com/developerworks/library/
  ws-sectoken.html
• Public draft - 8/28/02

PolicyAttachments
Federation
SecurityPolicy
PolicyAssertions
Trust
SecureConversation
Authorization
Policy
Privacy
XML Token Profile
WS-Security
SOAP/XML Foundation
22
WS-Privacy

• Defines how a Web Service implements privacy
• Referenced from other security documents (e.g.
  Security in a Web Services World A Proposed
  Architecture and Roadmap)
• Privacy demo in IBMs Web Services Toolkit
  supports P3P rules in a WS-Policy type format.

PolicyAttachments
Federation
SecurityPolicy
PolicyAssertions
Trust
SecureConversation
Authorization
Policy
Privacy
XML Token Profile
WS-Security
SOAP/XML Foundation
23
WS-Federation

• Defines how to manage and broker trust
  relationships in a heterogeneous federated
  environment including support for federated
  identities.
• Referenced from other security documents (e.g.
  Security in a Web Services World A Proposed
  Architecture and Roadmap)

PolicyAttachments
Federation
SecurityPolicy
PolicyAssertions
Trust
SecureConversation
Authorization
Policy
Privacy
XML Token Profile
WS-Security
SOAP/XML Foundation
24
WS-Authorization

• Describes how the Web Service manages
  authorization data and policies
• Referenced from other security documents (e.g.
  Security in a Web Services World A Proposed
  Architecture and Roadmap)

PolicyAttachments
Federation
SecurityPolicy
PolicyAssertions
Trust
SecureConversation
Authorization
Policy
Privacy
XML Token Profile
WS-Security
SOAP/XML Foundation
25
Web Service Security Layers
Standard
Draft Standard
Proposal
Expected
WS-PolicyAttachments
WS-Federation
WS-SecurityPolicy
WS-PolicyAssertions
WS-Trust
WS- SecureConversation
WS-Authorization
WS-Policy
WS-Privacy
WS-Security Profile for XML-based Tokens
WS-Security (Framework)
SOAP/XML Foundation (SSL, Digital signatures,
encryption, )