It’s just data

Out of the Frying Pan

Don Box: I have to say that the authentication story blows chunks.  Having to hand-roll yet another “negotiate session key/sign URL” library for J. Random Facebook/Flickr/GData clone doesn’t scale.  Personally, my dream stack would be ubiquitous WS-Security/WS-Trust over HTTP GET and POST and tossing out WSDL

From page 1 of WS-Security (emphasis added):

This specification describes enhancements to SOAP messaging to provide message integrity and confidentiality. The specified mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

This specification also provides a general-purpose mechanism for associating security tokens with message content. No specific type of security token is required, the specification is designed to be extensible (i.e.. support multiple security token formats).  For example, a client might provide one format for proof of identity and provide another format for proof that they have a particular business certification.

Additionally, this specification describes how to encode binary security tokens, a framework for XML-based tokens, and how to include opaque encrypted keys. It also includes extensibility mechanisms that can be used to further describe the characteristics of the tokens that are included with a message.

I’d suggest that the root problem here has nothing to to with HTTP or SOAP, but rather that the owners and operators of properties such as Facebook, Flickr, and GData have vested interests that need to be considered.


OpenID + OAuth is the Final Nail in the Coffin of the WS-* vs. REST Discussion

Although the choice of whether to pick between WS-* and REST when deciding to build services on the Web seems like a foregone conclusion, there seems to be one or two arguments on the WS-* that refuse to die. You can find a them in the notes...

Excerpt from Dare Obasanjo aka Carnage4Life at

Is security is the killer feature of WS-*?

I said something along these lines at QCon last week and got some strange looks. I’m happy to see that Don Box is saying its quite important as well. People may takes digs at the complexity of the WS-* specs, but security is damn complex and...

Excerpt from netzooid at

Having one's cake and eating it too

Sam has an interesting response to my bitching about authentication . “I’d suggest that the root problem here has nothing to to with HTTP or SOAP, but rather that the owners and operators of properties such as Facebook, Flickr, and...

Excerpt from Don Box's Spoutlet at

Touche.

The “ideal world” I was describing was one with a mechanized authentication story that works and is ubiquitous.

I’ll admit that while WS-Security aspires to this, ubiquity hasn’t happened yet.

Posted by Don Box at

It isn’t a matter of ubiquity.  As I left in a comment on your blog (which apparently doesn’t support preview or html):

“Out of the box”, exactly what security mechanisms does WS-Security provide?

Posted by Sam Ruby at

exactly what security mechanisms does WS-Security provide?

You probably saw this presentation before, but there’s an especially apt slide in it that reads: “[WS-Security] is not ready to use.  It’s a security protocol construction kit.”

Posted by Pete Lacey at

Don Box: I have to say that the authentication story blows chunks. Having to hand-roll yet another “negotiate session key/sign URL” library for J. Random Facebook/Flickr/GData clone doesn’t scale. Personally, my dream stack would...

Excerpt from Megite Technology News: What's Happening Right Now at

Don Box: I have to say that the authentication story blows chunks. Having to hand-roll yet another “negotiate session key/sign URL” library for J. Random Facebook/Flickr/GData clone doesn’t scale. Personally, my dream stack would...

Excerpt from Megite Technology News: What's Happening Right Now at

we need message level encryption and integrity mechanisms - this is what we get from wsse. what we are doing today (ssl and a prayer) isn’t working - 200 million breached records can’t be wrong. privacyrights.org but hey its not the rest developers data which gets breached so who cares right?

Posted by gunnar at

message level encryption

Posted by Sam Ruby at

Don Box on Auth

I found it hilarious that Don moans about HTTP auth and then points to WS-Security as the way forward, I just can’t decide if Don was trying to be funny, or is actually serious. (in which case he’s been in Redmond too long), looks like I’m not the...

Excerpt from Simon Fell at

wrt to your emphasis on “No specific type of security token is required, the specification is designed to be extensible”

This is a very good thing. wsse supports Kerberos tickets (such as you get from AD), SAML, and X.509 certs. We don’t want/need developers reinventing these things (poorly), what we need is a way to move these claims around in a system. So let the developer use their existing directory, CA, etc. Anyhow, its nice to see the Atom folks learn from wsse, but what they have done so far is the very tip of the iceberg.

Interestingly enough, this is the easy part of the problem as far as I am concerned, the harder problem that no one has a good solution for today is the authZ piece. The closest thing is probably XACML, but it is early days. authZ is harder because the vendors aren’t motivated to solve this problem (like they are with Identity). And as we have seen, the open source communities are very content to have weak security models. So that really only leaves architects in big companies to bash vendors on the head and hope they do something about it. See McGovern:

[link]

In the meantime, among all these petty SOA/Rest quarrels, the breached records pile up.

Posted by Gunnar at

WS-* is to REST as Theory is to Practice

... [more]

Trackback from Dare Obasanjo aka Carnage4Life

at

Anyhow, its nice to see the Atom folks learn from wsse

I think a more accurate statement would be that Atom and WS-Security build upon a common base.

Posted by Sam Ruby at

Out Of The Frying Pan and Eating the Cake

Don Box says : “Personally, my dream stack would be ubiquitous WS -Security/ WS -Trust over HTTP GET and POST and tossing out WSDL in favor of doing direct XML programming against payloads from VB9 (or XQuery ), but hey, I have unusual tastes.” In...

Excerpt from Musings about web services at

Links - 11.19.2007

BPEL++ You have to wonder if some people enjoy endless upgrade cycles and shiny new complicated specs. SOA 3.0? Come on, that’s insane. You can’t go to the next version before the current version is even deployed! Out of the Frying Pan Another old...

Excerpt from discipline and punish at

REST for developers - it's only a beginning

In my last post I asked Steve Vinoski some questions about REST and WebServices. I’d like to comment on the questions a bit more. First though I’d like to thank Steve for taking my questions the way he did and providing interesting answers ,...

Excerpt from Musings about web services at

Add your comment