Proposed New Work Activity - WSS Templates

["Hal Lockhart" <hlockhar@bea.com>]

As many of you know, for some time I have been concerned that the flexibility inherent in the mechanisms specified by WSS may result in real world use which is insecure or at least does not have the security properties which are expected. Our experience with the various Interops as well as work done at WS-I has convinced me that there is no way to specify a set of rules which will let people use WSS in ways that are certain to be secure.

What I an now proposing is that we define a set of usage templates using the WSS mechanisms. These templates will provide specific security services using different token types and methods of key distribution. Each template will be carefully examined both manually and using automated tools to insure that it has exactly the security properties desired and does not contain any unexpected vulnerabilities.

These templates will not represent the only way of using WSS, but will provide users with a set of patterns that meet most common requirements and have been carefully analyzed. The reason this activity is required is that while the WSS can be combined to achieve robust security services, they can also be combined in ways that have security flaws. Sometimes these flaws can be quite subtle.

The existence of WSS Templates will allow users to solve the most common security problems with confidence that the chosen pattern has been carefully scrutinized for security flaws. This will promote confidence in the use of WSS and in turn in applications that employ its mechanisms.

Templates will be organized by the types of Tokens employed and the specific security services provided. Templates will include single messages, request response patterns, patterns involving two participants and patterns involving three or more participants. 

I expect to also draw on other related work, including specifically the publicly available work of the WS-I to provide usecases, definitions of security services and proposed templates. Requirements and usecases for templates will be solicited from as many sources as possible. During the public review phase an effort will be made to encourage independent security analysis by recognized experts who are not necessarily members of the TC. 

The Templates will also be analyzed using automated software tools. I have been in contact with individuals at Oxford University in England. They have developed a tool called Casper that is capable of analyzing message exchanges in terms of their security properties. Last spring they conducted analyses of some of our interop scenarios. It is my intention to use this tool to analyze the properties of the templates produced, in addition to manual analysis by experts.

I believe that this effort will tend to increase industry confidence in the use of WSS and encourage its use. This in turn will promote the use of Web Services for critical applications. The other side of the coin is equally compelling. If significant security flaws are discovered and publicized after important Web Services have been deployed, it will seriously undermine confidence in WSS and tend to retard the progress of Web Services generally.

Over the last few weeks, I have presented these ideas to some of the members of the TC privately. There has been considerable discussion about the best venue in which to do the work. I have looked at the Charter of the WSS TC and this proposal seems completely consistent with its spirit. Perhaps we could consider a charter change to explicitly call out Templates as a deliverable. The main objection I can imagine to doing the work in the WSS TC, is that it may tend to extend the lifetime of the TC beyond what it will take to complete the profiles which are currently in progress.

I plan to follow this email with a proposal for how the Templates might be organized into categories and what an initial set of Templates might cover.

It is my hope that the TC will vote during our next meeting (Nov 2) to make this an official work item. I am also hoping a number of individuals will volunteer to assist in creating and analyzing the Templates. 

Please let me know if you have questions, comments or suggestions for alternative ways of approaching the problem.

Hal