Web Services Interoperability Organization Releases a Basic Security Profile
by Russel Madere
On Tuesday, April 3, 2007 I attended a webcast press briefing by the Web Services Interoperability Organization (WS-I), where they announced the release of their Basic Security Profile. The event was primarily a high-level view of the Basic Security Profile, but also provided background information on the organization and their work. There were three presenters: Anne Thomas Manes (Vice President and Research Director, Burton Group), Michael Bechauf (President and Chair, WS-I) and Paul Cotton (Chair, Basic Security Profile Working Group, WS-I).
Manes opened the conference by discussing the need for the work of WS-I. The current web service standards can be confusing, especially when applied to interoperability and security. WS-I clears up this confusion by publishing their profiles.
Bechauf then provided more detailed information on the WS-I, explaining that the goal of the organization is to give practical guidance on implementing the various standards, suggest best practices and provide additional resources for implementation. Its primary product is a series of profiles which take the published IETF and OASIS (Organization for the Advancement of Structured Information Standards) standards and discuss practical implementations.
These profiles provide guidelines and conventions for the implementations. A good description is that the profile limits or removes optionality for assorted features. Additionally, the profiles are designed to meet customer requirements, as defined by the assorted WS-I working groups. The WS-I Sample Applications and Testing Tools Working Groups also provide sample code, implementation and test cases for the profiles. Finally, no profile is considered final until there are at least four "real world" implementations available.
The announced profile, the Basic Security Profile 1.0, was the product of the Basic Security Profile Working Group. The profile is based upon their Basic Profile 1.0 and 1.1 and the Simple SOAP Binding Profile 1.0.
Additionally, Bechauf said that the WS-I is pursuing ISO Standard certification on their profiles. The Basic Profile 1.0 and 1.1 were submitted in August 2006.
Cotton stepped up to provide specific information on the Basic Security Profile (BSP). His working group had three deliverables: the Security Challenges, Threats and Countermeasures document, the Basic Security Profile 1.0 on WSS 1.0 and the Basic Security Profile 1.1 on WSS 1.1. Of these, the Security Challenges, Threats and Countermeasures document and the Basic Security Profile 1.0 have been finalized.
The BSP is available on the WS-I web site, and covers Transport Layer Security, the OASIS Web Service Security 1.0 Core, WSS 1.0 tokens (username, X.509, REL and SAML), WSS 1.1 tokens (Kerberos), XML signatures and XML encryption.
The BSP is a general implementation with a number of options. However, the working group tried to take all of the MAY and SHOULD statements from WSS 1.0 turn them into MUST statements. They also applied the same process to the normative, associated documents and the WSS tokens, including the WSS 1.1 Kerberos token. To bring the BSP into alignment with the Attachments Profile, they profiled SOAP with Attachments 1.1. They provided an extensive list of security considerations, and the BSP addresses the "Out of Scope" extensibility points.
Cotton said his working group will continue to work on the BSP Errata 1.0 and to complete the BSP 1.1, and will continue to collaborate with Sample Applications and the Testing Tools Working Groups on version 1.1 tools and applications.
Manes concluded the webcast by explaining the importance of web service security and interoperability. The Basic Security Profile can be used as a blueprint to implement the assorted security options. There is no one way to do this, but she suggested using both Transport (SSL) and Application (WSS token) security.
The presentation was followed by a brief question and answer session. Only two questions were asked and they were technical questions concerning the BPS working with other standards or profiles, specifically the WS-I Reliable Secure Profile (RSP) and the RosettaNet Multiple Messaging System(MMS). The answers provided the most applicable information of the webcast.
The BSP and the RSP are different, distantly-related profiles. The BSP deals exclusively with securing access to a web service while the RSP deals with securing the conversation between a web service and a consumer. The two profiles are meant to work together with the Basic Profile to guarantee interoperability and eliminate ambiguity in the standards.
The MMS describes how to conduct Business to Business transactions. It seems to be an attempt to replace the RosettaNet RNIF protocol with web services. The MMS would rely on the BSP to conduct the transactions across the different proprietary RosettaNet formats. More information on the MMS can be found on the RosettaNet website.
This question led to the most important revelation of the webcast, that B2B transactions with web services would rely on the WS-I Basic Profile, BSP and RSP to guarantee secure and reliable data exchange.
Though the press briefing lack a great deal of technical detail, it provided enough to tantalize me. I would recommend that any developer needing to produce a secured web service read the Security Challenges, Threats and Countermeasures document and the Basic Security Profile 1.0 on WSS 1.0.
Links:
Web Service Interoperability Organization
Security challenges, Threats and Countermeasures document:
Basic Security Profile 1.0 on WSS 1.0
Basic Security Profile Working Group Deliverables
WS-I Press Briefing Recording on Basic Security Profile Announcement
Organization for the Advancement of Structures Information Structures
Russel Madere has been a web developer for over a decade and using ColdFusion for 9 years. After being relocated by Hurricane Katrina, he expanded his horizons to include desktop and .Net application development. He is currently helping consolidate his development team with the AT&T Procurements and Systems Performance development team after the Recent AT&T/BellSouth merger.
Latest ColdFusion Talk (CF-Talk)
- Details on CF9's "free for academic" licensing?
- cfthread running condition?
- Listing then Deleting Duplicates
- Can I Use This CFScript Like This?
- Accessing Sharepoint file
- Pre-filling FileField Values
- cfcalendar and multiple dates
- (ot) How do you preload a SWF file?
- CFGrid Question
- ColdFusion not seeing standard Java classes when using CFINVOKE
Latest ColdFusion Jobs (CF-Jobs)
- ColdFusion MX 7 Server Consultant in/around Hoboken, NJ
- Part Time Coding Job
- Sr ColdFusion Developer Available
- Cold Fusion Flex Developer - PA
- North Bay Application Developer Search
- Contract to HIRE Cold Fusion Developer needed in Wake Forest NC
- Please post this Cold Fusion opportunity Thanks
- ColdFusion Developer - Northern California
- ColdFusion Web Developer - Baltimore, MD
- ColdFusion Web Developer
