Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

A view on W3C security standards for Web services

Check out this status report on work groups responsible for Web services security standards. The discussion starts with a look at W3C efforts such as the Web Security Context Working Group, XML Signature 2.0 and XML Signature best practices. Useful Web services security standards links included.

Although many teams leave security as an afterthought, it's very important to ensure your Web apps are secure and your end users (and their data) are safe. Building safe Web applications means using secure Web services. Development teams should be aware of the work of groups responsible for Web services security standards, as such formats help ensure compatibility when working with diverse organizations across different corporate firewalls.

OASIS and W3C are the two major organizations most active in Web services and SOA security standards and protocols. These two organizations have a similar approach to Web services security, but there are some differences in the way the concepts are expressed. When we look at the W3C approach we see a major focus on user trust decisions and direct XML security specifications; whereas the OASIS standards focus more on abstractions such as the WS-*specifications.

This tip focuses on the W3C approach, and a future piece will round out the lesson by providing more information on the OASIS side of things.

W3C specifications

The W3C Security Activity is broken into two branches – the Web Security Context Working Group and the XML Security Working Group. The XML and Web security groups have relatively long established guidelines for representing the signature of Web resources, digital content encryption, and key management.

The W3C's Web Security Context Working Group focused on user experience and on end user trust decisions. They wrapped up work on their user interface guidelines this August. These guidelines present rules and best practices aimed at ensuring that end-users make their online trust decisions under the safest and best informed conditions possible.

The user interface guidelines describe both acceptable and best-case procedures for handling Web security with a focus on Web user agents. The guidelines define a "Web user agent" as "any software that retrieves and presents Web content for users." Web user agents can be said to conform at a basic level (meaning they do everything the guidelines state must be done) or Web services can be said to conform at an advanced level (meaning they also do the things the guidelines state should be done).

The XML Security Working Group grew out of two distinct but similar groups that had been working on XML security for some time. They continue the W3C's work on signatures and encryption for XML. As of September the group has just recently published five drafts including XML Signature 2.0, Canonical XML 2.0, and XML Signature Best Practices.

XML Signature 2.0 specifies processing rules and syntax for XML digital signatures. The specification is intended to improve integrity services as well as authentication services. Canonical XML 2.0 is a major reworking of the previous version and is aimed at performance, hardware implementation and other issues. XML Signature Best Practices provides best practices around using XML signature. Specifically, the document relates to generally improving security and mitigating attacks as well as the use of XML signature in practice.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.