WS SECURITY SPECS ADVANCE; DEUTSCHE BANK PRESENTS SECURE WS APP
By Alan J. Weissberger, Contributing Editor

I. Summary

At the Nov. 2-4 meeting of the Web Services Interoperability (WS-I) Organization, excellent progress was made on several WS Basic Security Profile specifications, sample applications and test tools. When packaged together, these will be used (by vendors, systems integrators, and users) to provide the underlying security functionality for GGF compliant Grid computing.

In a Technical Showcase presentation on how member companies are using WS-I deliverables, Deutsche Bank (DB) described a Web services application running on their enterprise Grid of servers. DB's use cases were later presented to the Sample Apps WG, which will include them in future sample applications demonstrating the WS-I Basic Security Profile. End users from BT, IBM, Ford Motor, Daimler Chrysler, Fidelity Investments also participated at this productive and stimulating WS-I meeting

II. WS-I Background

The WS-I Organization mission is to generate specifications that provide vendors, system integrators and developers with guidelines for creating interoperable Web Services solutions. Working with standards from W3C and OASIS TC's, the WS-I organization creates three pillars for each of its activities: profiles, sample applications and test tools. Each of these has its own WS-I Working Group (WG). WS-I has three plenary or "community" meetings per year, with interim meetings scheduled by each WG separately, based on their respective workloads.

More information on WS-I may be obtained from www.ws-i.org/.

WS-I has already published Basic Profiles 1.0 and 1.1, SOAP with Attachments Profile 1.0, and Simple SOAP Binding (with HTTP) Profile 1.0:

III. WS-I Security Activities -- 3 WGs are involved:

The next major work item for WS-I, ongoing for the last 18 months, has been the Basic Security Profile (BSP). This work, based on the OASIS WS-Security standard, aims to provide a package of a security scenarios document, a basic profile specification, test tools and sample applications that demonstrate interoperable Web services security.

Any company that intends to use Web services beyond its firewall -- for inter-departmental or inter-company communications -- will need to ensure that all SOAP messages are secure and not tamper able or decipherable by "the man in the middle." Interoperable WS Security capabilities will be essential for all eBusiness and eCommerce applications, as well as for Grid computing.

A. The WS-I BSP WG is working on two deliverables:

There are three sections of the WS-I Basic Security Profile 1.0 document:

B. The WS-I Sample Apps WG is working on a Security Architecture document to guide development of source code for sample applications, which will demonstrate use of the BSP 1.0 as well as the Token Profiles (see description above). Currently, the sample applications are based on a supply chain business scenario.

C. The WS-I Test Tools WG is developing a Test Assertion Document (TAD) that will be used to test conformance to the BSP 1.0. This document contains the test assertions for the WS-I SOAP Message Security Profile definition. These test assertions are used by the analyzer testing tool to determine if a Web service is conformant to the Basic Security Profile.

The Test WG voted to make the current BSP 1.0 TAD public, inorder to gather further comments. As such, it will soon be available on the WS-I Web site for public review.

Also at this meeting, a new document on Enhanced Logging for Security was produced by the Test Tools WG.

IV. Deutsche Bank presentation On Use Of WS-I Deliverables, By Kieron Drake

DB uses Web services for four principal reasons:

Web Services enables DB to accept and process complex transactions from customers and internal traders, while protecting their users confidentiality. In essence, trade confirmations are replaced by a Web service that provides a signed agreement of the financial transaction or trade (e.g. between a broker dealer and investment bank or between two banks directly).

Web Services helps support the move to SOA, internally within DB. They standardized on WS-I BP 1.0 and are now moving to WS-I BP 1.1 (see references above). The WS-I basic profiles are augmented by a secure WS infrastructure, which is based on DB developed "XML firewalls." Those firewalls provide "secure plumbing" and expose "compensating bugs" in WS vendor solutions. The XML firewalls isolates Java and .NET clients from the J2EE and .NET servers that they access (these servers collectively form an enterprise compute Grid, which is accessed by the client PCs). DB noted one problem with a secure WS: it involves heavy use of asynchronous encryption algorithms, which adds a tremendous amount of overhead to messages.

Editors Note: While the XML firewalls provide the secure WS now, DB will standardize on the WS-I BSP when it has been completed. They later presented their WS Security requirements to the Sample Apps WG.

DB uses WS-I Test Tools to validate conformance to BP 1.0. Those tools have been particularly valuable with respect to validating WS vendor supplied WSDL (Web Services Description Language). The testing of vendor WSDL's drives an XML schema based, data centric approach to transaction processing at DB.

The trades capture system now being implemented by DB is faster and cheaper than the previous system, while permitting them to reuse existing servers. DB clients may access their post trade data over a secure environment that protects their confidentiality requirements.

Postscript: This editor suggested to the WS-I President and several board members that profiling of selected WS Security related specifications (that have not yet been submitted to a standards committee) might be a very useful work item. These specifications include: WS Federation, WS-Trust and WS-Secure Conversation. WS-Policy would also be involved. It remains to be seen if the WS-I Board of Directors will consider this suggestion.

Appendix: WS-I Deliverables

WS-I's deliverables provide resources for Web services developers to create interoperable Web services and verify that their results are compliant with WS-I guidelines. Key WS-I deliverables include Profiles, Sample Applications and Testing Tools, based on Web Services standards (from W3C and/or OASIS TCs):

About Alan J. Weissberger

As the founder and Technical Director of Data Communications Technology (DCT), a technical consulting firm started in March 1983, Alan J. Weissberger specializes in telecommunications standards and their implementation. His clients have included network providers (AT&T, NTT, Pacific Bell, US West, Entel and CTC in Chile, Telkom South Africa, Moroccan PTT, others), equipment and semiconductor manufacturers, and large end users. In 1995 and 1996 Alan was the principal architect for the European Commission's multi-service, multi-country ATM network -- the largest private network in Europe (that network has now evolved into Gig Ethernet over CWDM). In 2000-01, he was Ciena's lead ITU-T delegate, contributing to the standardization of the optical control plane in SG13 and SG15. Alan now represents NEC Corp in several OASIS TCs dealing with Web Services, while also attending the Global Grid Forum and the Optical Internetworking Forum (OIF).

Weissberger can be reached via e-mail at aweissberger@sbcglobal.net or ajwdct@technologist.com. To read his entire biography, please visit www.gridtoday.com/04/1011/bio.html.