The Web Services-Interoperability Organization (WS-I) has announced the availability of a public review draft for WS-I Security Scenarios which defines the requirements for and scope of the WS-I Basic Security Profile. Produced by members of the WS-I Basic Security Profile Working Group, this document "is aimed at Web Services architects and developers who are examining the security aspects of the Web Services they are designing/developing."
WS-I Security Scenarios "identifies security challenges [in terms of] general security goals or features that inform the selection of specific security requirements in scenarios. It also identifies the typical threats that prevent accomplishment of each challenge, and identifies the typical countermeasures (technologies and protocols) used to mitigate each threat. The draft documents potential usage scenarios and the security challenges and threats that might apply to each, as derived from the templates found in the Supply Chain Management Use Cases and Scenarios documents." A subsequent draft will address security issues related to attaching material to SOAP messages as, described in the WS-I Attachment Profile 1.0.
WS-I has requested input, suggestions, and other feedback on the draft from a wide variety of industry participants in order to improve its quality over time. It is assumed that the reader has a basic understanding of security technologies such as SSL/TLS, XML encryption, digital signatures, and the OASIS Web Services Security specifiction.
"WS-I is also currently working on the Basic Security Profile, an interoperability profile involving transport security, SOAP messaging security, and other security considerations implicated by the Basic Profile 1.0. The Basic Security Profile is intended to compose with other WS-I profiles and will reference existing specifications used to provide security, including the OASIS Web Services Security 1.0 specification, and provide clarifications and guidance designed to promote interoperability of those specifications. A Working Group Draft of the Basic Security Profile is expected to be delivered in 2004Q2."
WS-I Security Scenarios. Edited by Mark Davis (Sarvega), Bret Hartman (DataPower), Chris Kaler (Microsoft), Anthony Nadalin (IBM), and Jerry Schwarz (Oracle). From the WS-I Basic Security Profile Working Group. Document Status: Working Group Draft. Version 0.15. February 14, 2004. 52 pages. Work in progress document, copyright (c) 2004 by The Web Services-Interoperability Organization (WS-I) and Certain of its Members.
From the WS-I Announcement
Today, at the thirteenth annual RSA Conference, the world's leading e-security event, the Web Services Interoperability Organization (WS-I) announced the availability of the first Security Scenarios Working Group Draft for public review. Developed by the WS-I Basic Security Profile Working Group, the Security Scenarios document identifies security challenges and threats in building interoperable Web services and countermeasures for these risks. The news was announced today during a media event at RSA featuring Web services security experts from the WS-I Basic Security Profile Working Group.
"The development of the Security Scenarios Working Group Draft is an important step in furthering the progress of Web services and driving customer adoption," said Paul Cotton, Chair of the WS-I Basic Security Profile Working Group. "By enabling Web services architects and developers to identify potential security challenges and threats, they can more easily ensure the successful deployment of their Web services projects and achieve greater levels of interoperability."
"Enterprises that deploy Web services without mature strategies for security will be vulnerable to cyberattacks," said Ray Wagner, Research Director, Information Security Strategies at Gartner. "Web services security decisions are complex, and interoperability is a key challenge. WS-I's guidance, including the Security Scenarios and the forthcoming Basic Security Profile, could be an important factor in the success of enterprises' Web services security initiatives. WS-I can provide much-needed clarity for the practical and pragmatic use of Web services security standards."
Security Challenges, Threats and Countermeasures
The Security Scenarios document describes several security challenges, threats and countermeasures in building interoperable Web services, as well as usage scenarios and solutions, including:
Challenges: describes several security challenges, including ensuring data integrity, data confidentiality and message uniqueness
Threats: outlines 10 threats on these challenges, such as message alteration, falsified messages, message replay and denial of service attacks
Countermeasures: recommends how technologies like HTTPS and OASIS Web Services Security: SOAP Message Security 1.0 can be used to counter some of these threats
Usage Scenarios and Solutions: describes how these technologies can be used with the Message Exchange Patterns (MEPs) that have been used in WS-I deliverables such as the Basic Profile 1.0 Sample Applications
[February 25, 2004] "WS-I Releases Web Services Security Scenarios." By Elizabeth Montalbano. In CRN (February 25, 2004). "[Hal] Lockhart said there are an infinite number of ways for companies to use standards such as WS-Security and SOAP Message Security 1.0 to secure Web services messages. The WS-I is providing only a sample of those ways in its work, and encourages commentary from the industry on other possible scenarios. 'This activity will form the basis for what we consider to be the basic security profile,' Lockhart said. 'We really want feedback from people about whether this is the right set of scenarios, the right set of choices to make. We hope people will look at this document and feed back to us their reactions in terms of whether we are working on the right problems.' The WS-I plans to release a draft of its Basic Security Profile, which will deal with how to use WS-Security and SOAP Message Security — among other standards — in Web services-based transactions, by the end of March, said Eve Maler, XML architect at Sun and another member of the Security Profile Working Group. The Basic Security Profile builds on the WS-I Basic Profile to propose how to provide security mechanisms around existing Web-services standards. The WS-I's Basic Profile 1.0, released in August, provides guidelines for using several established standards for building Web services — SOAP, WSDL, UDDI and XML Schema. In the future, the Security Profile Working Group will address how to utilize other security standards, such as security assertion markup language (SAML) and Kerberos, with Web services, Maler said..."
[February 26, 2004] "WS-I: Best Security Practices for Web Services." By Susan Kuchinskas. In InternetNews.com (February 25, 2004). The WS-I draft "recommends ways technologies such as HTTPS and SOAP Message Security 1.0 can be used to counter the threats. The document includes scenarios describing how such technologies can be used with Web services Message Exchange Patterns... The WS-I, formed two years ago, is sort of a clean-up batter for other standards organizations. Its charter includes a mandate to take Web standards defined by other organizations and narrow them down to a set of choices that will provide the least likelihood of interoperability problems, said Rich Salz, chief security architect for DataPower and a member of the Basic Security Profile Working Group. 'We cherry-pick the best parts of other technologies,' he said. Hal Lockhart, senior engineering technologist principal for BEA Systems, called the WS-I approach a pragmatic one. 'The idea is to profile how to properly use those standards to achieve what people want to do,' he added. 'We're trying to take basic profiles like SOAP (simple object access protocol) and make sure you can at least protect the messages,' said committee member Eve Maler, standards architect for Sun Microsystems. She said the working group is focused tightly on signing and encrypting messages while making sure the channels through which they flow are also protected and that tasks that can be accomplished in a reasonable timeframe..."
About the OASIS Web Services Security 1.0 Specification
In January 2004 Kelvin Lawrence (OASIS WSS TC Co-Chair) announced the approval of a set of five documents as "Committee Draft" specifications by the OASIS Web Services Security (WSS) Technical Committee. The WSS Committee Draft documents have also been approved by the TC for submission to OASIS for consideration as OASIS standards. The CDs include Web Services Security: SOAP Message Security 1.0, Web Services Security UsernameToken Profile, and Web Services Security X.509 Certificate Token Profile. They are accompanied by two XML Schemas, documented in the main WSS specification as Appendix A "Utility Elements and Attributes" and Appendix B "SecurityTokenReference Model."
The WSS 1.0 specification "describes enhancements to SOAP messaging to provide message integrity and confidentiality. The specified mechanisms can be used to accommodate a wide variety of security models and encryption technologies. The document also provides a general-purpose mechanism for associating security tokens with message content. No specific type of security token is required, the specification is designed to be extensible (i.e., support multiple security token formats). For example, a client might provide one format for proof of identity and provide another format for proof that they have a particular business certification. Additionally, the WSS specification describes how to encode binary security tokens, a framework for XML-based tokens, and how to include opaque encrypted keys. It also includes extensibility mechanisms that can be used to further describe the characteristics of the tokens that are included with a message."
See details in the earlier news story "OASIS Web Services Security TC (WSS) Approves Committee Draft Specifications."
About the Web Services-Interoperability Organization (WS-I)
"WS-I is an open, industry organization chartered to promote Web services interoperability across platforms, operating systems, and programming languages. The organization works across the industry and standards organizations to respond to customer needs by providing guidance, best practices, and resources for developing Web services solutions.
WS-I was formed specifically for the creation, promotion, or support of Generic Protocols for Interoperable exchange of messages between services. Generic Protocols are protocols that are independent of any specific action indicated by the message beyond actions necessary for the secure, reliable, or efficient delivery of messages; 'Interoperable' means suitable for and capable of being implemented in a neutral manner on multiple operating systems and in multiple programming languages..." [from the WS-I home page]
- Announcement: "WS-I Publishes Web Services Security Interoperability Guidelines. Security Scenarios Outline Challenges, Threats and Countermeasures."
- WS-I Security Scenarios. WS-I Working Group Draft. February 14, 2004.
- Feedback: send email to firstname.lastname@example.org
- WS-I Technical documents
- Supply Chain Management Use Case Model
- Attachments Profile Version 1.0
- WS-I implementation tools
- WS-I web site
- Earlier WS-I news:
- "Sun Announces J2EE V1.4 Support for WS-I Compliant Web Services Applications."
- "WS-I Releases Basic Profile 1.0a Final Specification for Interoperable Web Services."
- "Java Web Services Developer Pack V1.2 Supports WS-I, WS-Security, and UBL Applications."
- "WS-I Charters Basic Security Profile Working Group (BSPWG)."
- "WS-I Publishes Supply Chain Management Candidate Review Drafts."
- "IBM and Microsoft Announce Web Services Interoperability Organization (WS-I)."
- "Web Services Interoperability Organization (WS-I)" - Main reference page.