I am taking liberty (pub intended) to change the subject of thread to
reflect the focus on secure web services. (01)
I support Mark's comments below. I see Liberty, OASIS SAML and OASIS
Web Services Security (WSS) , OASIS XACML
as key specs to support in our work to demonstrate Secure Web Services
using established standards rather than proprietary
alternatives. This should be as non-controversial as motherhood and
apple pie I hope :-). (02)
This is the only way for multiple products to inter-operate and to avoid
vendor lock-in (03)
--
Regards,
Farrukh (04)
Mark O'Neill wrote:
> Just a short email just to add to some of the points in this email thread
>
> - Amazon should certainly be commended for making authenticated Web Services
> live, but I wouldn't recommend copying their authentication model. They have
> re-invented some items which are present in WS-Security, for example the
> UsernameToken. I spoke about this at the RSA conference - see slides 33 to
> 36 in this slide deck for some analysis of Amazon's authentication model
> (http://www.vordel.com/downloads/rsa_conf_2006.pdf) . Putting tokens into
> proprietary fields in the XML, and using these for authentication is, in my
> view, a re-invention of the WS-Security wheel.
>
> - Vordel's products are being used for management and security of
> inter-departmental Web Services for a European govt. My lessons, from
> working on the implementation of this, were that: (1) A variety of
> authentication methods should be provided to the client: from HTTP-Auth over
> SSL up to WS-Security token-based Auth. You can always give varying access
> depending on the authN that was used, but my lesson was that you can't force
> one particular AuthN method on the client [unless your architecture includes
> an "onramp" client-side device like they have in the UK with their "DIS
> box"]. (2) Following AuthN, you must insert tokens into the messages in
> order to persist the security context. This is where SAML and WS-Federation
> come into play. In the case of some platforms, such as WebLogic, these
> tokens can be used to pass the user context (and/or Roles etc) to the actual
> Web Service endpoint (3) PKI integration and, just as important, Web Access
> Control policy server integration is vital.
>
> (05)
farrukh.najmi.vcf
Description: Vcard
_________________________________________________________________
Subscribe/Unsubscribe/Config: http://colab.cim3.net/mailman/listinfo/soa-forum/
Shared Files: http://colab.cim3.net/file/work/soa/
Community Portal: http://colab.cim3.net/
Community Wiki: http://colab.cim3.net/cgi-bin/wiki.pl?AnnouncementofSOACoP (01)
|