The hottest buzzword on the Web these days is Web services. (As evidence, Google today had almost 2 million hits on that phrase.) The promise of Web services is wonderful: cross-platform object and method invocation that makes the Internet one, big, componentized software application. It's nowhere that simple of course, but it certainly opens up plenty of new ways to build distributed applications.
One of the many issues with Web services is security. At a basic level, Web services have the same problems and solutions as regular Web applications, since both generally use HTTP over the network. SSL and various forms of authentication are available to Web services, but it really is quite different, since an HTML page is not requested from a Web service but rather some kind of data or information. That opens up plenty of new issues.
Microsoft has been talking lately about federated identity, which they define as "the technology and business arrangements necessary for the interconnecting of users, applications, and systems. This includes authentication, distributed processing and storage, data sharing, and more."
In order to achieve federated identity, you have to bridge trust across systems and bridge the systems themselves. Their solution, along with IBM and VeriSign, is the proposed WS-Security specification. WS-Security defines a standard set of SOAP extensions that can implement integrity and confidentiality in Web services applications. It provides standard mechanisms to exchange secure, signed messages in a Web services environment, and provides a foundation layer that helps developers build more secure and broadly interoperable Web services.
That's a pretty tall order, particularly for what is currently a mere 20-page specification. There are actually several other specifications that you can use to make a Web services world secure:
* WS-Policy defines how to express the capabilities and constraints of security policies.
* WS-Trust describes the model for establishing both direct and brokered trust relationships (including third parties and intermediaries).
* WS-Privacy defines how Web services state and implement privacy practices.
* WS-Secure Conversation describes how to manage and authenticate message exchanges between parties, including security context exchange and establishing and deriving session keys.
* WS-Federation describes how to manage and broker trust relationships in a heterogeneous federated environment, including support for federated identities.
* WS-Authorization defines how Web services manage authorization data and policies.
That's quite a mouthful, not to mention a lot of specifications. Shortly, I'll continue looking at what WS-Security means.