OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsfed message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: NIST: Guide to Secure Web Services


I have just heard from Karen Scarfone, one of the authors who works at
NIST. She says that she and Anoop Singhal would welcome comments sent
directly to them. Their email addresses are:

karen.scarfone@nist.gov
Anoop.Singhal@nist.gov

Hal

> -----Original Message-----
> From: Hal Lockhart
> Sent: Tuesday, September 18, 2007 3:03 PM
> To: ws-sx@lists.oasis-open.org; wsfed@lists.oasis-open.org; security-
> services@lists.oasis-open.org; 'xacml@lists.oasis-open.org'
> Subject: NIST: Guide to Secure Web Services
> 
> This August the National Institute for Standards and Technology of the
US
> Federal Government (NIST) published a document entitled: Guide to
Secure
> Web Services available here:
> http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf.
> 
> Its purpose and scope are stated in the introduction.
> 
> "This publication seeks to assist organizations in understanding the
> challenges in integrating information security practices into SOA
design
> and development based on Web services. This publication also provides
> practical, real-world guidance on current and emerging standards
> applicable to Web services, as well as background information on the
most
> common security threats to SOAs based on Web services."
> 
> Although NIST is a US Federal Agency, the document says:
> 
> "This guideline has been prepared for use by Federal agencies. It may
be
> used by nongovernmental organizations on a voluntary basis and is not
> subject to copyright. Attribution is desired and requested."
> 
> Historically, NIST publications have had an impact which is much wider
> than the US Government, so I believe this document is of interest to
> everyone.
> 
> My reaction to this document is mixed. On one hand, it provides an
> excellent overview of the Requirements, Standards and implementation
> issues relating to securing web services. On the other hand, reading
> quickly through the document I noticed numerous factual errors. There
are
> also statements in the document which appear to have been written six
> months to a year ago.
> 
> I am not talking about points of interpretation or emphasis upon which
> reasonable people might differ. I am talking about out and out factual
> errors such as: XML Signature requires the use of PKI or SAML does not
> permit encryption of assertions.
> 
> Now I am well aware of the fact that I am rather poor at proofreading.
I
> know from experience that if I can see a dozen errors in a document
there
> are likely to be hundreds. Therefore I am urging everyone to read this
> document and comment on it to NIST. I am posting it to these lists as
the
> document discusses standards developed by these TCs and well as the
WSS TC
> which many of you were members.
> 
> Hal



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]