130 likes | 148 Views
Discover how XML-based web services and Public Key Infrastructure (PKI) can be leveraged to construct secure, distributed web applications. This guide explores the use of XML and key web service specifications to facilitate transactions securely. Learn about XKMS, Trust Services, and future XML Trust Services applications.
E N D
Warwick Ford VeriSign, Inc. XML Web Services and PKI
XML-based Web Services • Building blocks for constructing distributed Web-based applications in a platform, object model, and multi-language manner • Use XML and associated platform tools for easy-to-implement standardized transactions • Example: Company builds online sales application that uses: • An authentication service to identify customers • A creditworthiness checking service • An invoicing service • A payments processing service • A delivery tracking service
Some Key Web Services Specifications • XML Protocol • Generic protocol for conveying Web Service transactions • W3C standardization project • SOAP • Predecessor of XML Protocol • WSDL • Web Services Description Language • UDDI • Universal Description, Discovery, and Integration
Securing Web-Services • XML Signature • W3C and IETF Proposed Standard completed 2000 • XML Encryption • W3C project in progress Two Requirements Come Together: • Deliver public keys to XML applications to support XML Signature and XML Encryption • Use Web services architecture and tools to eliminate the application-enablement problems of traditional PKI
XKMS History & Status • Developed by VeriSign, Microsoft, webMethods • Co-submitted to W3C with IBM, HP, Citigroup, Reuters, Baltimore, IONA, PureEdge • Supported by SUN, RSA, Entrust • W3C launched standardization in July 2001 Workshop • Developer tools and interoperability program available at www.trustcenter.org
Trust Services that Web Apps Need • Register this signing key pair! • Give me the public key for this signature! • Verify this signature! • Is this signer authorized? • Is this company credit-worthy? • Notarize this transaction! Not of Interest to Average App: • Certification paths; Revocation status; ASN.1; Certificate extensions; Policy mapping; Certificates
First Generation PKI Private key Relying Party Key Pair Holder Public key ASN.1 processing X.509 certificate parsing Path construction Path validation Revocation checking Trust model processing PKCS/CMP/CMC/CEP/CRS/LDAP/OCSP App-integrated PKI Functions Application Product Registration ASN.1 Based Protocol ? Other service provider Public keys PKI Directories PKI Provider
PKI 2nd Generation - XKMS Private key Key Pair Holder Relying Party Public key Application Product Give me the public key I need! Register my public key! Registration Server Locate/Validate Server ?Unspecified? XML Public keys
XKMS - Simple Configuration Private key Key Pair Holder Relying Party Public key Application Product Give me the public key I need! Register my public key! Registration Server Locate/Validate Server XML Public keys PKI PKI Provider
XKMS - Complex Configuration Private key Key Pair Holder Relying Party Public key Application Product Give me the public key I need! Register my public key! Registration Server Locate/Validate Server XML PKI PKI Bridge CA PKI Provider 2 Provider 1
Foreign Certification Authority FI’s Private Certification Authority XKMS XKMS Chained Transaction Multi-PKI Backend Using XKMS Acquiring Financial Institution Identrus Root or other Root Certification Authority FI’s Identrus Certification Authority Credential Issuer Key Registration Service (XKMS or traditional PKI) HSM DSMS Locate/ Validate Service XKMS XKMS XKMS Business to Business Interactions XKMS Client App B2B Portal (Relying Party) Purchasing Manager (Key Holder)
Other XML Trust Service Specifications • SAML - Security Assertion Markup Language • Authentication and authorization assertions • Inter-domain access control - policy decision and enforcement architecture • OASIS Technical Committee - expected to complete Dec 2001 • XACML - eXtensible Access Control Markup Language • For expressing policies for information-access over the Internet • XML-Pay - XML Payment Gateway Access • Public specification developed by VeriSign and Ariba
Concluding Remarks • Web Services simplify building of business applications • XML Trust Services support delegation of critical services to trusted specialists • XKMS will revolutionize ease of PKI-enabling applications • SAML, XACML, XML-Pay etc. extend model seamlessly to entitlements, access control, rights management, payments • Future XML Trust Services: • Name management • Document authentication • Countersigning/notarization/time-stamping • Secure transaction archival