Loading ...
Sorry, an error occurred while loading the content.

Security issues in SOAP and Web-Services

Expand Messages
  • Naresh Agarwal
    Hi Following encapsulated all the security-related issue, which any protocol should address to.. a) Privacy b) Authntication c) Integrity d) Non-repudiation e)
    Message 1 of 3 , Mar 8, 2002
    • 0 Attachment
      Hi

      Following encapsulated all the security-related issue, which any
      protocol should address to..

      a) Privacy
      b) Authntication
      c) Integrity
      d) Non-repudiation
      e) Access Control (Authorization)


      I have some questions about these in the context of SOAP and
      Web-Services.

      1) What is the status of XKMS, and which of above mentioned issues it
      would address? Also which soap implementations currently support XKMS?

      2) What is the status of SOAP-Dsig., and which of the above mentioned
      issues it would address? Also which soap implementations currently
      support SOAP-DSig.

      3) Are there any other upcoming standards, which would address the
      above mentiones issues?

      4) Most SOAP implementation use HTTP as transport protocol and hence
      can not use TLS. Is there any soap implementation, which supports HTTPS?

      5) Assuming that the standards like XKMS, SOAP-Dsig. etc would take
      some time to get mature, what is the way to address above mentioned
      issue in SOAP without using these standards?


      thanks,

      regards,
      Naresh Agarwal
    • Jorgen Thelin
      Hi Naresh, You can check the various home pages of the relevant standards committees for the complete answers on the scope and current state of the various
      Message 2 of 3 , Mar 8, 2002
      • 0 Attachment
        Hi Naresh,

        You can check the various home pages of the relevant standards
        committees for the complete answers on the scope and current state of
        the various specifications you refer to:
        http://www.w3.org/2001/XKMS/
        http://www.w3.org/Signature/


        You should also be examining the SAML (Security Assertions Markup
        Language) specification efforts occurring through the OASIS group, which
        is one of the major emerging standards around XML security.
        http://www.oasis-open.org/committees/security/


        Regarding you're comments about TLS, I am not sure exactly where this
        information came from, but all web service products I am aware of
        directly include full support for HTTPS/SSL/TLS already. Certainly
        CapeConnect supports this out of the box.


        If you do not wish to use the XML message level standards for security,
        you will probably be forced to use transport level standards, although
        these tend to only be effective for point-to-point connections as a rule
        (e.g. TLS encryption).
        Alternatively your application can devise it's own application level
        security measures, and your message data can then be sent as an opaque
        or binary SOAP payload.
        Your choice depends on a number of application and infrastructure design
        considerations to a large extent.


        Regards,

        - Jorgen


        ----
        Try Cape Clear for all your Web Services software needs.
        http://www.capeclear.com/
        CapeConnect - Enterprise-grade Web Services Runtime Platform
        CapeStudio - Professional Web Services Development Suite
        ----


        > -----Original Message-----
        > From: Naresh Agarwal [mailto:nagarwal@...]
        > Sent: 08 March 2002 08:42
        > To: soapbuilders@yahoogroups.com
        > Subject: [soapbuilders] Security issues in SOAP and Web-Services
        >
        >
        > Hi
        >
        > Following encapsulated all the security-related issue, which
        > any protocol should address to..
        >
        > a) Privacy
        > b) Authntication
        > c) Integrity
        > d) Non-repudiation
        > e) Access Control (Authorization)
        >
        >
        > I have some questions about these in the context of SOAP and
        > Web-Services.
        >
        > 1) What is the status of XKMS, and which of above mentioned
        > issues it would address? Also which soap implementations
        > currently support XKMS?
        >
        > 2) What is the status of SOAP-Dsig., and which of the above
        > mentioned issues it would address? Also which soap
        > implementations currently support SOAP-DSig.
        >
        > 3) Are there any other upcoming standards, which would
        > address the above mentiones issues?
        >
        > 4) Most SOAP implementation use HTTP as transport protocol
        > and hence can not use TLS. Is there any soap implementation,
        > which supports HTTPS?
        >
        > 5) Assuming that the standards like XKMS, SOAP-Dsig. etc
        > would take some time to get mature, what is the way to
        > address above mentioned issue in SOAP without using these standards?
        >
        >
        > thanks,
        >
        > regards,
        > Naresh Agarwal
        >
      • gc_adamgross
        FWIW, I recently gave a webinar that attempted to outline web service security requirements, and the where specific standards efforts fit with in that context.
        Message 3 of 3 , Mar 8, 2002
        • 0 Attachment
          FWIW, I recently gave a webinar that attempted to outline web service
          security requirements, and the where specific standards efforts fit
          with in that context. You can find a copy of the slides at:

          http://www.geocities.com/gc_adamgross/SecuringWebServices.pdf

          ..and let me know if I can answer any questions. I'll be presenting
          the webinar live again on 3/21 (see
          http://www.grandcentral.com/webinar.html)

          Regards,
          Adam

          Grand Central Communications


          --- In soapbuilders@y..., "Jorgen Thelin" <Jorgen.Thelin@c...> wrote:
          >
          > Hi Naresh,
          >
          > You can check the various home pages of the relevant standards
          > committees for the complete answers on the scope and current state
          of
          > the various specifications you refer to:
          > http://www.w3.org/2001/XKMS/
          > http://www.w3.org/Signature/
          >
          >
          > You should also be examining the SAML (Security Assertions Markup
          > Language) specification efforts occurring through the OASIS group,
          which
          > is one of the major emerging standards around XML security.
          > http://www.oasis-open.org/committees/security/
          >
          >
          > Regarding you're comments about TLS, I am not sure exactly where
          this
          > information came from, but all web service products I am aware of
          > directly include full support for HTTPS/SSL/TLS already. Certainly
          > CapeConnect supports this out of the box.
          >
          >
          > If you do not wish to use the XML message level standards for
          security,
          > you will probably be forced to use transport level standards,
          although
          > these tend to only be effective for point-to-point connections as a
          rule
          > (e.g. TLS encryption).
          > Alternatively your application can devise it's own application level
          > security measures, and your message data can then be sent as an
          opaque
          > or binary SOAP payload.
          > Your choice depends on a number of application and infrastructure
          design
          > considerations to a large extent.
          >
          >
          > Regards,
          >
          > - Jorgen
          >
          >
          > ----
          > Try Cape Clear for all your Web Services software needs.
          > http://www.capeclear.com/
          > CapeConnect - Enterprise-grade Web Services Runtime Platform
          > CapeStudio - Professional Web Services Development Suite
          > ----
          >
          >
          > > -----Original Message-----
          > > From: Naresh Agarwal [mailto:nagarwal@i...]
          > > Sent: 08 March 2002 08:42
          > > To: soapbuilders@y...
          > > Subject: [soapbuilders] Security issues in SOAP and Web-Services
          > >
          > >
          > > Hi
          > >
          > > Following encapsulated all the security-related issue, which
          > > any protocol should address to..
          > >
          > > a) Privacy
          > > b) Authntication
          > > c) Integrity
          > > d) Non-repudiation
          > > e) Access Control (Authorization)
          > >
          > >
          > > I have some questions about these in the context of SOAP and
          > > Web-Services.
          > >
          > > 1) What is the status of XKMS, and which of above mentioned
          > > issues it would address? Also which soap implementations
          > > currently support XKMS?
          > >
          > > 2) What is the status of SOAP-Dsig., and which of the above
          > > mentioned issues it would address? Also which soap
          > > implementations currently support SOAP-DSig.
          > >
          > > 3) Are there any other upcoming standards, which would
          > > address the above mentiones issues?
          > >
          > > 4) Most SOAP implementation use HTTP as transport protocol
          > > and hence can not use TLS. Is there any soap implementation,
          > > which supports HTTPS?
          > >
          > > 5) Assuming that the standards like XKMS, SOAP-Dsig. etc
          > > would take some time to get mature, what is the way to
          > > address above mentioned issue in SOAP without using these
          standards?
          > >
          > >
          > > thanks,
          > >
          > > regards,
          > > Naresh Agarwal
          > >
        Your message has been successfully submitted and would be delivered to recipients shortly.