Good summary. I have similar entry in my blog titled "Security in
SOA" at www.soastudio.com
I think there was a discussion on this group on SOA definition. I
have my own say what SOA is in my blog at the same site.
http://www.soastudio.com/
Regards, Dico
--- In [email protected], "Gervas Douglas" <[EMAIL PROTECTED]> wrote:
>
> <<Which standards exist for end-to-end security in service-oriented
> architecture?
> This question posed on 06 February 2006
>
>
>
> To answer this, first let me define what I mean by end-to-end
> security. Let me use an example where A passes a message to B which
> passes a message to C. End-to-end security is security which applies
> across the entire chain from A to C. If we looked at SSL for a moment,
> SSL is a transport-level security protocol, so it could give you
> security from A to B, and security from B to C, but not from A to C.
> That is, the A to B security is entirely separate from the B to C
> security.
>
> In terms of end-to-end security standards, there are a number of
> different parts of the security puzzle to consider:
> # Identity (who the caller is). There are a number of standards for
> end-to-end identity (typically referred to as single-sign-on or
> identity management). The most common is SAML ("security assertion
> markup language"). Many large vendors and customers are adopting SAML.
> Beyond SAML, there is also Kerberos (where the Kerberos "tokens" would
> be transmitted in a WS-Security envelope). The use of Kerberos becomes
> important and valuable because Kerberos is the "native" security
> mechanism of Windows. So, if you have Windows desktops, you are
> probably already using Kerberos. Note that identity can be used
> actively in order to authorize use of the services in the "chain" or
> passively to track who is doing what for auditing purposes.
> # Privacy. End-to-end privacy makes it possible for A to send
> information to C without B being able to read it (even though B is in
> the middle of the message flow). The key standards for end-to-end
> privacy are XML Encryption together with WS-Security. XML Encryption
> lets you encrypt part or all of a message payload, and only those who
> have the right keys can decrypt it. So, you can choose to encrypt only
> the most sensitive information in the message. However, a middleman
> (such as B) can still act on the parts of the message which are not
> encrypted.
> # Integrity. End-to-end integrity ensures that the message is not
> tampered with anywhere from A to C. The key standards for end-to-end
> integrity are XML Signature and WS-Security. As with XML Encryption,
> you can choose to sign part or all of the message payload. Anyone who
> has access to the sender's public key can validate that the message
> has not been tampered with.
>
> Beyond these three key areas, you may also consider how to have
> central control over authentication, authorization, auditing, etc.
> This is typically the realm of vendor-specific products. There are few
> standards in these areas. The one exception being XACML ("XML access
> control markup language"), whose adoption as a universal standard is
> still uncertain.>>
>
> You can find this at:
>
> <http://searchwebservices.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid26_gci1164360_tax292927,00.html?track=NL-305&ad=542320&ad=542314>
>
> Gervas
>
| Service-oriented architecture | Computer monitoring software | Free computer monitoring software |
YAHOO! GROUPS LINKS
- Visit your group "service-orientated-architecture" on the web.
- To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
- Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
