- Federation – Authentication at the initiating client and authorization at the Web services server. The basic problem here is establishing trust.
- Privacy – Authentication without revealing the identity of the client. Take a look at this URL, which describes a joint project of Internet2 and IBM that tackles this problem.
- Security Administration – While there are systems that handle identity management, that is only a portion of Web services security administration needs. Other areas that require an administration model are Authorization, Attributes and Policy between disparate companies.
- Access Control – There has been some very good work in access control, but there are still some interesting problems in this area, especially as we move to Web services security. Take a look at the XACML specification at this URL for some of the recent work on access control in Web services.
This was first published in August 2003