verybody's talking about Web services. It's the buzz term of the moment. The promise of application-to-application interactions using remote procedure calls over Web connections has grabbed the attention of many in the IT industry. As is often the case with new technologies, however, what Web services can do is discussed much more often than the security implementations that they require. This year's RSA Conference in San Francisco devoted an entire track of sessions to secure Web services, indicating that the organizers recognize the importance of security in this burgeoning technologyand developers should also.
Ari Kermaier's session, "Securing Web Services: XML Security Standards in Practice" gave developers an understanding of how they could implement the maturing XML security standards into their Web services applications. Kermaier, an engineering manager at Phaos Technology, illustrated the use of these standards in an end-to-end solution.
XML and Interoperable Security
Kermaier asserts that "XML is the format of choice for Web services, and a large number of protocols have emerged for XML from standards bodies like the W3C, OASIS, and the Liberty Alliance." In fact, the number of standards and protocols is so large and comes from so many disparate sources that making sure Web services of all flavors can talk to each other is a major concern.
"I can't emphasize enough the importance of open standards and interoperability testing to the success of Web services security," stressed Kermaier. "The promise of Web services relies on common standards for locating and accessing resources (WSDL, UDDI, etc.), and Web service security standards will succeed largely to the degree that vendors and developers prioritize interoperability."
To that end, Kermaier used three XML security standards in his demonstration that he believes are fairly mature and well suited to implementing Web services security today:
- XML signature a standard that supports various digital signature configurations (W3C recommendation)
- XML encryption a standard that supports different encryption types (W3C recommendation)
- XML Key Management Specification 2.0 (XKMS) a collection of protocols for key management via a Web service (W3C working draft)