1 / 13

Building Secure Web Services with XML and PKI for Distributed Applications

Discover how XML-based web services and Public Key Infrastructure (PKI) can be leveraged to construct secure, distributed web applications. This guide explores the use of XML and key web service specifications to facilitate transactions securely. Learn about XKMS, Trust Services, and future XML Trust Services applications.

ccorley
Download Presentation

Building Secure Web Services with XML and PKI for Distributed Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Warwick Ford VeriSign, Inc. XML Web Services and PKI

  2. XML-based Web Services • Building blocks for constructing distributed Web-based applications in a platform, object model, and multi-language manner • Use XML and associated platform tools for easy-to-implement standardized transactions • Example: Company builds online sales application that uses: • An authentication service to identify customers • A creditworthiness checking service • An invoicing service • A payments processing service • A delivery tracking service

  3. Some Key Web Services Specifications • XML Protocol • Generic protocol for conveying Web Service transactions • W3C standardization project • SOAP • Predecessor of XML Protocol • WSDL • Web Services Description Language • UDDI • Universal Description, Discovery, and Integration

  4. Securing Web-Services • XML Signature • W3C and IETF Proposed Standard completed 2000 • XML Encryption • W3C project in progress Two Requirements Come Together: • Deliver public keys to XML applications to support XML Signature and XML Encryption • Use Web services architecture and tools to eliminate the application-enablement problems of traditional PKI

  5. XKMS History & Status • Developed by VeriSign, Microsoft, webMethods • Co-submitted to W3C with IBM, HP, Citigroup, Reuters, Baltimore, IONA, PureEdge • Supported by SUN, RSA, Entrust • W3C launched standardization in July 2001 Workshop • Developer tools and interoperability program available at www.trustcenter.org

  6. Trust Services that Web Apps Need • Register this signing key pair! • Give me the public key for this signature! • Verify this signature! • Is this signer authorized? • Is this company credit-worthy? • Notarize this transaction! Not of Interest to Average App: • Certification paths; Revocation status; ASN.1; Certificate extensions; Policy mapping; Certificates

  7. First Generation PKI Private key Relying Party Key Pair Holder Public key ASN.1 processing X.509 certificate parsing Path construction Path validation Revocation checking Trust model processing PKCS/CMP/CMC/CEP/CRS/LDAP/OCSP App-integrated PKI Functions Application Product Registration ASN.1 Based Protocol ? Other service provider Public keys PKI Directories PKI Provider

  8. PKI 2nd Generation - XKMS Private key Key Pair Holder Relying Party Public key Application Product Give me the public key I need! Register my public key! Registration Server Locate/Validate Server ?Unspecified? XML Public keys

  9. XKMS - Simple Configuration Private key Key Pair Holder Relying Party Public key Application Product Give me the public key I need! Register my public key! Registration Server Locate/Validate Server XML Public keys PKI PKI Provider

  10. XKMS - Complex Configuration Private key Key Pair Holder Relying Party Public key Application Product Give me the public key I need! Register my public key! Registration Server Locate/Validate Server XML PKI PKI Bridge CA PKI Provider 2 Provider 1

  11. Foreign Certification Authority FI’s Private Certification Authority XKMS XKMS Chained Transaction Multi-PKI Backend Using XKMS Acquiring Financial Institution Identrus Root or other Root Certification Authority FI’s Identrus Certification Authority Credential Issuer Key Registration Service (XKMS or traditional PKI) HSM DSMS Locate/ Validate Service XKMS XKMS XKMS Business to Business Interactions XKMS Client App B2B Portal (Relying Party) Purchasing Manager (Key Holder)

  12. Other XML Trust Service Specifications • SAML - Security Assertion Markup Language • Authentication and authorization assertions • Inter-domain access control - policy decision and enforcement architecture • OASIS Technical Committee - expected to complete Dec 2001 • XACML - eXtensible Access Control Markup Language • For expressing policies for information-access over the Internet • XML-Pay - XML Payment Gateway Access • Public specification developed by VeriSign and Ariba

  13. Concluding Remarks • Web Services simplify building of business applications • XML Trust Services support delegation of critical services to trusted specialists • XKMS will revolutionize ease of PKI-enabling applications • SAML, XACML, XML-Pay etc. extend model seamlessly to entitlements, access control, rights management, payments • Future XML Trust Services: • Name management • Document authentication • Countersigning/notarization/time-stamping • Secure transaction archival

More Related