Web Services Trust

Resources

WhitePapers Articles
  • Web Services Platforms
    • A Platform for Web Services - this article presents the Microsoft view of how applications will be built using Web Services.
    • The Tao of e-business services - this IBM article stresses the importance of business categorizations or taxonomies for enabling of the dynamic discovery that is at the heart of Web Services.
    • The Sun[tm] Open Net Environment Sun ONE - Sun's ONE initiative stresses the importance of 'Smart Services' - context-sensitive Web services that are capable of taking advantage of information about identity, role, location, time, profiles, constraints, and other criteria associated with a Web service request.
    • Bowstreet™ Business Web Factory - describes how Business Webs can be built from varied and distributed component Web services through a 'plug-and-play' interface.
Links Frequently Asked Questions

What are Web Services?

Web Services are self-contained, modular applications that can be described, published, located, and invoked over a network, generally, the World Wide Web. Web services perform functions for applications and other Web services, which can be anything from simple requests to complicated business processes. Web services, through their loose-coupling and dynamic binding, insulate applications from the complexity and details of other components, creating systems that are more amenable to change.

Microsoft, Sun, HP, and IBM have all announced their own vision of what a Web services platform looks like (respectively .Net, ONE, eSpeak, and IBM Web Services). They all share, to varying degrees, a standards foundation and the concept of applications dynamically discovering and interacting with other applications to achieve some computing task. What they also all share, in their current versions, is a limited recognition of the importance of security to Web services.?

The fact that Web Services will use the inherently insecure Web for possibly mission critical business transactions, and the possibility of short-lived dynamic business relationships, mean that enabling trust for Web services ,e.g. ensuring that a business entity is indeed who they claim to be or that a transaction be confidential, poses challenges for a Web services Trust architecture.

What is Entrust's Web Services Trust Framework?

The Web Services Trust Framework provides a conceptual infrastructure for the integration of trust into the Web Services model (see below for a definition of Web Services) of business application development and architecture. The framework categorizes the various XML standards into supporting either Trusted Messaging, Trust Services, or Trust Context.

What are Trusted Messages?

Businesses will interact with the Web Services of partners through the exchange of XML messages, e.g. a purchase order. Trusted Messages are these XML business documents once they have been appropriately signed, encrypted, timestamped etc such that the business transaction to which they contribute can be trusted. XML Signature and XML Encryption are the core standard building blocks on which Trusted Messages will be built.

What are Trust Services?

A Trust Service is a Web Service that other Web Services will invoke to enable trust for their own transactions. Trust Services will deliver the core security functions, e.g. signing, encryption, time-stamping, and the accompanying administrative functions, e.g. key registration, revocation, validation, that other Web Services will require if they are to be guarantee the trust of their transactions. XKMS (see description below) is the first proposed standard for such a Trust Service.

What is Trust Context?

Although the fundamental flow of information between participants is the actual XML business document, this will typically be insufficient to enable trust in the transaction. Trust context is all the additional information, e.g. an assertion from a financial institution regarding the buyers credit worthiness, that may be required to be shared between the participants to ensure that the transaction can be trusted. SAML (see description below) is the first such proposed standard for Trust Context.

What is XML?

XML is the standard messaging format for business communication, allowing companies to connect their business systems with those of customers and partners using the existing Internet infrastructure. Web Services are built on a model of request/response messages that use XML syntax.

What is XML Signature?

The XML Signature proposal, of which Entrust is a co-author, specifies how to digitally sign XML documents (and other data formats) at levels of granularity down to individual elements. The resultant signature is captured in XML syntax. The ability to sign individual elements within an XML message rather than the complete message will be a critical feature for supporting multistage workflow processes in which an XML message is modifed at each stage. XML Signature has advanced to W3C/IETF Candidate Recommendation stage.

What is XML Encryption?

The XML Encryption proposal specifies a process for encrypting digital content (including but not exclusive to XML) and an XML syntax for the encrypted content and appropriate required information that enables an intended recipient to decrypt it. The ability to encrypt only specific elements within an XML message enables non-sensitive processing of the XML, something impossible if the complete XML message were encrypted. Entrust co-authored the XML Encryption Proposal that has since been submitted to a W3C Working group.

What is SOAP?

The Simple Object Access Protocol is a lightweight XML protocol for the exchange of information in a general distributed environment and more specifically, in the Web Services architecture. SOAP provides a standardized XML envelope for the Web Service specific payloads by which services are invoked and how they return their service results. SOAP also defines a set of encoding rules for expressing instances of application-defined datatypes.

What is UDDI?

(Universal Description, Discovery, and Integration) is a specification for distributed Web-based business information registries. Companies publish descriptions of the services they offer, along with instructions on how the services are invoked, to the registry such that other companies can discover, and ultimately, use them.

What is WSDL?

Web Services Description Language is an XML syntax for describing what a Web service can do, where it resides, how to invoke it, and what it will return.? By loading and parsing a service's WSDL document in real-time, a service requestor can 'late-bind' to the service, ensuring that the latest version of the service can be appropriately invoked.

What is XKMS?

XKMS (XML Key Management Service) is a proposed standard for the enrollment and subsequent management of keys. Rather than integrating complicated PKI key management functionality into applications through 'toolkits', XKMS enables the outsourcing of this PKI functionality to remote Trust services. The application developer need only know how to create/process the appropriate XML messages with which the remote services are invoked.

What is SAML?

Many Web services transactions will require trust information (additional to the actual application specific message payload) to be shared between requestor and provider to determine the trust context, e.g. is the requestor who they claim to be. SAML (Secure Assertion Markup Language) is a standard for the exchange of authentication and authorization information between trust domains. The OASIS Security Services Technical Committee that ratified SAML as an OASIS Open Standard, used as input multiple contributions including S2ML and AuthXML. Entrust is member of the OASIS SS TC and co-chairs the Protocols and Core Assertions sub-groups within the TC.

Contact Us