XML security standards forest
May 21st, 2002 by jiri
There are been about 30 web services security standards under development. Some think that this is overkill:
“I would hate to see Web services get lost in the security forest,” says John Studdard, senior vice president and CTO for the Virtual Bank in Palm Beach Gardens, Fla. “We are hoping for a simple security model as opposed to something that sounds good but has no chance of ever being implemented.” . [NWFusion]
I don’t think this is going to happen. Distributed computing utilising chain of services over unreliable and insecure infrastructure to get relatively reliable SLAs is a problem that is not easy to resolve. Combine this with the need to communicate with unknown subjects with unknown reputation and you wonder if its feasible at all. Still, it will be important for security standards not to stay in the way of bootstrapping. This means to have modular security specifications that can be added to the basic protocols as the complexity of use scenarios increase. Mandatory requirement to implement all the XACMLs, WS-Policies, WS-Trusts for simple and straightforward SOAP implementation between two mutually trusting applications with known semantics would be nonsense.
“We were surprised to see how quickly people were adopting the Web services development tools, but there is an immaturity level that is quickly being realized as people seek security, reliability and quality of service,” says Tyler McDaniel, director of application strategies for Hurwitz. “As a result, there is a pressure on vendors and standards bodies to get security moving faster.”
Yes, for enterprise use of web services, security is a showstopper. Corporations can’t benefit from the web services without controlling access. Temporarily workarounds, like the use of SSL can be used just for point-point integration and the user identities cannot be propagated through the hole transaction chain. Then there is a host of would be standards from SAML to Kerberos to WS-Security to Liberty Alliance and who would like to deploy specification that could soon become obsolete. Everybody is therefore waiting for what the standard churn mill will spill out.