Formalize a user-facing use case for WS-Security (e.g. use of WS-Secure Conversation)

See Also: ACTION-19

Description

Alice decides to run a small desktop decoration program which uses web services requests flowing as SOAP mesages over HTTP(S) connections. This program displays weather information on Alice's desktop as a transparent window. Alice uses this information to establish when to perform several tasks. Since the application gives no indication of how communications is established with the source of this weather infomration, there is no visible cues to suggest that the site contacted to obtain this information is in any way related to or verified as being the site defined in the configuration of the desktop decoration program.

Discussion

The subject of this application (weather information) would seem to be inocuous enough to not be of much consequence or pose much risk if such information were not accurate. Indeed, if the weather information supplied is for the location in which Alice is currently located, one might suggest looking out the window is a more reliable (and cheaper) means of determining the weather. However, if the information is about some other location, and is relied upon in order to make decisions which do have financial or other consequences, then the importance of retrieving the right information and understanding that the information is coming from the source that Alice is expecting is quite important.

Attributes from the HTTP request/response headers, SSL/TLS handshake and session parameters, WS-Security information from SOAP request/response message header all contain elements of information which contribute to understanding whether or not the information retrieved is coming from the entity which Alice is expecting the information to be coming from.

Since the visual cues are not controlled by a browser, but rather the application program which is painting the transparent window information on the desktop, there is no browser chrome to define, protect, or for Alice to rely upon.

Perhaps the best we can do in this situation is to offer guidance to web services client programs which are also rendering visual information for humans to ocnsume that some types of indicators of the security of the communications link (and the identity of the entity being communicated with) be viewable/conspicuous to the human.