A view on W3C security standards for Web services

Although many teams leave security as an afterthought, it's very important to ensure your Web apps are secure and your end users (and their data) are safe. Building safe Web applications means using secure Web services. Development teams should be aware of the work of groups responsible for Web services security standards, as such formats help ensure compatibility when working with diverse organizations across different corporate firewalls.

OASIS and W3C are the two major organizations most active in Web services and SOA security standards and protocols. These two organizations have a similar approach to Web services security, but there are some differences in the way the concepts are expressed. When we look at the

    Requires Free Membership to View

    Login

W3C approach we see a major focus on user trust decisions and direct XML security specifications; whereas the OASIS standards focus more on abstractions such as the WS-*specifications.

This tip focuses on the W3C approach, and a future piece will round out the lesson by providing more information on the OASIS side of things.

W3C specifications

The W3C Security Activity is broken into two branches – the Web Security Context Working Group and the XML Security Working Group. The XML and Web security groups have relatively long established guidelines for representing the signature of Web resources, digital content encryption, and key management.

The W3C's Web Security Context Working Group focused on user experience and on end user trust decisions. They wrapped up work on their user interface guidelines this August. These guidelines present rules and best practices aimed at ensuring that end-users make their online trust decisions under the safest and best informed conditions possible.

The user interface guidelines describe both acceptable and best-case procedures for handling Web security with a focus on Web user agents. The guidelines define a "Web user agent" as "any software that retrieves and presents Web content for users." Web user agents can be said to conform at a basic level (meaning they do everything the guidelines state must be done) or Web services can be said to conform at an advanced level (meaning they also do the things the guidelines state should be done).

The XML Security Working Group grew out of two distinct but similar groups that had been working on XML security for some time. They continue the W3C's work on signatures and encryption for XML. As of September the group has just recently published five drafts including XML Signature 2.0, Canonical XML 2.0, and XML Signature Best Practices.

XML Signature 2.0 specifies processing rules and syntax for XML digital signatures. The specification is intended to improve integrity services as well as authentication services. Canonical XML 2.0 is a major reworking of the previous version and is aimed at performance, hardware implementation and other issues. XML Signature Best Practices provides best practices around using XML signature. Specifically, the document relates to generally improving security and mitigating attacks as well as the use of XML signature in practice.

This was first published in November 2010

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top