Title: WSSecurity TC
1WS-Security TC
- Christopher Kaler
- Kelvin Lawrence
2Agenda
- Context for WS-Security
- WS-Security Elements and Example
- TC Charter and Deliverables
3Web Service Security Issues
Username/password
- Getting easier to build web services but who is
sending the messages?
- Several approaches
- SSL with username and password
- SSL with X509 client certificates
- VPN with Kerberos
- XrML, SAML,
- Challenges
- Computational cost
- Inflexibility
- Firewalls
- Distributed management
- Hop-to-hop vs. end-to-end
Client certificates, Smart Cards,
VPN
4Security and Web Services
- Security in a Web Services World
- Safer no exposure at intermediaries
- Interoperable broad vendor support
- Leverages XML signature and XML encryption
- Flexible builds on web infrastructure
- Works with HTTP, SMTP, and transports
- Works over firewall, through the DB,
- Durable security is available at the business
request / application layer
- Higher performance and scalability
- Supports both public and symmetric keys
- Clients exchange security tokens and cache
- Easier a simple common approach for manageable
authentication, authorization, and permissions
5A Typical Challenge
Certification Partner
Business Partners
Web Service
Company A
6A WS-Security Solution
Certification Partner
Business Partners
Web Service
Company A
7How Does it Work?
- Security tokens assert claims
- Web services have policies
- A security token service is just a web service
that issues security tokens
8Security Tokens
Security tokens assert claims
X.509, Kerberos, XrML, SAML,
Identity Keys Privileges, rights, capabilities
Custom
9Policies
Services have policies
- Policies describe the required claims
- Security tokens assert the claims
Policy
Does the request havethe correct security tokens?
?
10Security Token Service
A security token service issues security tokens
Security Token Service
Policy
Web Service
- It is just a web service
- A solution may require multiple token services
Policy
11Agenda
- Context for WS-Security
- WS-Security Elements and Example
- TC Charter and Deliverables
12New SOAP ElementsWS-Security
- New
- Header
-
-
-
- Existing
- XML Signature
- XML Encryption
- Token formats (e.g., X.509, Kerberos, XrML, SAML)
13 ...
- SOAPactor is optional
- One header per actor
- All security information together
- Sub-elements are pre-pendend
- Supports multiple signatures
14Elements In
- Including and referencing security tokens
-
-
-
-
-
- Signature
-
- Encryption Manifest
-
- Encrypted Attachments
-
- Other
15Simple Example
- Requesting a stock quote
- Security token indicates username
- Signature uses key generated from password
16Simple Example (1 of 2)
- (001)
- (002) xmlnsds/xmldsig"
- (003)
- (004) .org/rp/"
- (005) http//fabrikam.org/getQuo
te
- (006) http//fabrikam.org/stocksto
- (007) uuid84b9f5d0-33fb-4a81-b02b-5
b760641c1d6
- (008)
- (009)
- (010)
- (011) Zoee
- (012)
- (013)
- (014)
- (015) Algorithm".../xml-exc-c14n"/
- (016) Algorithm".../xmldsighmac-sha1"/
17Simple Example (2 of 2)
- (017) URI"MsgBody"
- (018) Algorithm"http//.../xmldsigsha1"/
- (019) LyLsF0Pi4wP
U...
- (020)
- (021)
- (022) DJbchm5gK...dsSignatureValue
- (023)
- (024)
- (025) URI"MyID"/
- (026)
- (027)
- (028)
- (029)
- (030)
- (031)
- (032) QQQStockSymbol
- (033)
18Agenda
- Context for WS-Security
- WS-Security Elements and Example
- TC Charter and Deliverables
19WS-Security TC Charter
Continue work on the Web service security
foundations published in the WS-Security
specification and under the context of the Web
Services Security roadmap
20WS-Security TC Scope
- Using XML signature to provide SOAP message
integrity for Web services
- Using XML encryption to provide SOAP message
confidentiality for Web services
- Attaching and/or referencing security tokens in
headers of SOAP messages
- Carrying security information for potentially
multiple, designated actors
- Associating signatures with security tokens
- Representing specific forms of binary security
tokens as defined in WS-Security specification.
21WS-Security TC Deliverables
- Accept as input the Web Services Security
(WS-Security)
- Produce as output a specification for Web
Services Security. This specification will
reflect refinements and changes made to the
submitted version of WS-Security that are
identified by the WSS TC members for additional
functionality within the scope of the TC
charter. - Liaise and/or forge relationships with other Web
services efforts to assist in leveraging
WS-Security as a part of their specifications or
solutions. - Coordinate with the chairs of the other OASIS
security related groups via the Security Joint
Coordination Committee.
- Oversee ongoing maintenance and errata of the
WS-Security specification.
22Questions