OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: NIST: Guide to Secure Web Services


This August the National Institute for Standards and Technology of the
US Federal Government (NIST) published a document entitled: Guide to
Secure Web Services available here:
http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf.

Its purpose and scope are stated in the introduction.

"This publication seeks to assist organizations in understanding the
challenges in integrating information security practices into SOA design
and development based on Web services. This publication also provides
practical, real-world guidance on current and emerging standards
applicable to Web services, as well as background information on the
most common security threats to SOAs based on Web services."

Although NIST is a US Federal Agency, the document says:

"This guideline has been prepared for use by Federal agencies. It may be
used by nongovernmental organizations on a voluntary basis and is not
subject to copyright. Attribution is desired and requested."

Historically, NIST publications have had an impact which is much wider
than the US Government, so I believe this document is of interest to
everyone.

My reaction to this document is mixed. On one hand, it provides an
excellent overview of the Requirements, Standards and implementation
issues relating to securing web services. On the other hand, reading
quickly through the document I noticed numerous factual errors. There
are also statements in the document which appear to have been written
six months to a year ago.

I am not talking about points of interpretation or emphasis upon which
reasonable people might differ. I am talking about out and out factual
errors such as: XML Signature requires the use of PKI or SAML does not
permit encryption of assertions.

Now I am well aware of the fact that I am rather poor at proofreading. I
know from experience that if I can see a dozen errors in a document
there are likely to be hundreds. Therefore I am urging everyone to read
this document and comment on it to NIST. I am posting it to these lists
as the document discusses standards developed by these TCs and well as
the WSS TC which many of you were members.

Hal



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]