My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Monday, December 1, 2003
« Security Info from the latest TechNet F... | Main | New mailing list for secure application... »

When you hear that security is one of the missing pieces of Web services, you’re probably listening to a discussion about complex SOAs that demand newfangled security protocols yet to be submitted to any standards organization. Today, most Web services connections, even those that cross firewalls, mirror the Web: a client and a server interacting more or less in real time, with security controlled by the server.
[InfoWorld: Web Services]

The primary thrust seems to be that ".. such simple interactions typically rely on usernames and passwords for authentication and SSL for message encryption and integrity. More complex requirements, such as authorization and nonrepudiation, can be coded within the service applications themselves".

And according to the the article "things start getting more complicated when at least one of three conditions are true: 

  1. The architecture includes intermediaries (that is, messages must be carried across multiple hops); 
  2. messages are stored and must be secured beyond the time during which they’re transmitted; or 
  3. more than one party wants control over some aspect of the security (for example, the usernames and passwords defined by the client must be used to access the server, which has an independent concept of authentication).

Interesting read....

[Now Playing: Home Sweet Home ['91 Remix] - Decade of Decadence]

Tags:: Security
12/1/2003 8:38 PM Eastern Standard Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.