Security scenarios

[Stephen.Flinter@connectcgs.com]

Following Gerard's suggestion last week, regarding identifying the security
scenario(s) documented in the IBM/Microsoft paper "Security in a Web
Services World" that we wish to adopt, I would advocate the following:

1. That we specify that implementations of the Trans-WS spec MUST implement
direct trust using Username/Password and transport-level security.  This is
scenario 1 in the paper, and is probably the most straightforward scenario
to adopt.
2. Implementations of Trans-WS MAY implement other security scenarios as
agreed between the service provider and the users of the service.
3. That we reference the OASIS WSS TC specs as the preferred security
standard, as opposed to the IBM/Microsoft WS-Security.  Specifically, that
we reference the Web Services Security: SOAP Message Security and Web
Services Security: UsernameToken Profile documents, which are issued by the
WSS TC, and are currently in committee spec status.
4. For future versions of the Trans-WS spec, we can increase the level of
security required, by making additional security scenarios a MUST or SHOULD
implement.  We can also reference additional security documents such as
SAML, or whatever.

Note, all of the above would only require a narrative in the spec document.
We would not have to make any change to our WSDL file.  All the WSS stuff
sits in the SOAP header, and is transparent to the application using it.
Note also, that this means that we wouldn't need a "login" type operation
in the WSDL.  By definition, every SOAP message would have to include the
necessary token to allow for authentication/authorisation.

Regards,

Steve

---------------------------------------------
Stephen Flinter
Connect Global Solutions
[t] +353 (0)1 882 9038
[f] +353 (0)1 882 9050
[m] +353 87 798 1228
[e] stephen.flinter@connectcgs.com
[w] www.connectcgs.com
--------------------------------------------