Kermaier said, "making sure that your keys are securely stored and accessed, particularly in a distributed service deployment, is crucial. In a similar vein, implementers must carefully consider how sensitive data is stored and retrieved by the Web service." XKMS is the standard that addresses these imperatives.
XKMS locates signer or recipient public keys, validates public key certificates, and supports core PKI functions such as key pair generation. Because it is Web service-based, XKMS removes all of its functions from the application domain.
As an example of where key management comes into play for the Web service developer, Kermaier offered the following scenario: "a distributed J2EE application using stateful session beans with container-managed state needs to be designed to make sure that secrets and keys are not unexpectedly serialized in ways that expose the data inappropriately. It is these kinds of implementation details that present a challenge to the developer who needs to incorporate strong security into Web services."
Authentication and Identity Management
Kermaier cited SAML and Project Liberty as solutions for authentication and identity management in the Web services space. SAML offers a flexible, extensible, and abstract framework for businesses and Web services to exchange security information about their users. Project Liberty, which Kermaier calls "a giant step toward achieving interoperability goals in the realm of authentication and identity management," uses SAML to define several profiles that developers can use to implement single sign-on and federated identity for their users.
Interoperability Is Key
Looking down the road of Web services security development, which developers, standards bodies, and vendors have only just begun to travel, Kermaier places interoperability above all other goals. "The key to successfully applying Web services security protocols will be interoperability. If implementers adhere to the open standards and participate in industry interoperability testing, the higher-level security protocols built on XML signatures and encryption will have a much better chance of reaching maturity and widespread adoption."