130 likes | 134 Views
Warwick Ford VeriSign, Inc. XML Web Services and PKI. XML-based Web Services. Building blocks for constructing distributed Web-based applications in a platform, object model, and multi-language manner Use XML and associated platform tools for easy-to-implement standardized transactions
E N D
Warwick Ford VeriSign, Inc. XML Web Services and PKI
XML-based Web Services • Building blocks for constructing distributed Web-based applications in a platform, object model, and multi-language manner • Use XML and associated platform tools for easy-to-implement standardized transactions • Example: Company builds online sales application that uses: • An authentication service to identify customers • A creditworthiness checking service • An invoicing service • A payments processing service • A delivery tracking service
Some Key Web Services Specifications • XML Protocol • Generic protocol for conveying Web Service transactions • W3C standardization project • SOAP • Predecessor of XML Protocol • WSDL • Web Services Description Language • UDDI • Universal Description, Discovery, and Integration
Securing Web-Services • XML Signature • W3C and IETF Proposed Standard completed 2000 • XML Encryption • W3C project in progress Two Requirements Come Together: • Deliver public keys to XML applications to support XML Signature and XML Encryption • Use Web services architecture and tools to eliminate the application-enablement problems of traditional PKI
XKMS History & Status • Developed by VeriSign, Microsoft, webMethods • Co-submitted to W3C with IBM, HP, Citigroup, Reuters, Baltimore, IONA, PureEdge • Supported by SUN, RSA, Entrust • W3C launched standardization in July 2001 Workshop • Developer tools and interoperability program available at www.trustcenter.org
Trust Services that Web Apps Need • Register this signing key pair! • Give me the public key for this signature! • Verify this signature! • Is this signer authorized? • Is this company credit-worthy? • Notarize this transaction! Not of Interest to Average App: • Certification paths; Revocation status; ASN.1; Certificate extensions; Policy mapping; Certificates
First Generation PKI Private key Relying Party Key Pair Holder Public key ASN.1 processing X.509 certificate parsing Path construction Path validation Revocation checking Trust model processing PKCS/CMP/CMC/CEP/CRS/LDAP/OCSP App-integrated PKI Functions Application Product Registration ASN.1 Based Protocol ? Other service provider Public keys PKI Directories PKI Provider
PKI 2nd Generation - XKMS Private key Key Pair Holder Relying Party Public key Application Product Give me the public key I need! Register my public key! Registration Server Locate/Validate Server ?Unspecified? XML Public keys
XKMS - Simple Configuration Private key Key Pair Holder Relying Party Public key Application Product Give me the public key I need! Register my public key! Registration Server Locate/Validate Server XML Public keys PKI PKI Provider
XKMS - Complex Configuration Private key Key Pair Holder Relying Party Public key Application Product Give me the public key I need! Register my public key! Registration Server Locate/Validate Server XML PKI PKI Bridge CA PKI Provider 2 Provider 1
Foreign Certification Authority FI’s Private Certification Authority XKMS XKMS Chained Transaction Multi-PKI Backend Using XKMS Acquiring Financial Institution Identrus Root or other Root Certification Authority FI’s Identrus Certification Authority Credential Issuer Key Registration Service (XKMS or traditional PKI) HSM DSMS Locate/ Validate Service XKMS XKMS XKMS Business to Business Interactions XKMS Client App B2B Portal (Relying Party) Purchasing Manager (Key Holder)
Other XML Trust Service Specifications • SAML - Security Assertion Markup Language • Authentication and authorization assertions • Inter-domain access control - policy decision and enforcement architecture • OASIS Technical Committee - expected to complete Dec 2001 • XACML - eXtensible Access Control Markup Language • For expressing policies for information-access over the Internet • XML-Pay - XML Payment Gateway Access • Public specification developed by VeriSign and Ariba
Concluding Remarks • Web Services simplify building of business applications • XML Trust Services support delegation of critical services to trusted specialists • XKMS will revolutionize ease of PKI-enabling applications • SAML, XACML, XML-Pay etc. extend model seamlessly to entitlements, access control, rights management, payments • Future XML Trust Services: • Name management • Document authentication • Countersigning/notarization/time-stamping • Secure transaction archival