VeriSign Web Services Positioning Paper

Web services are fundamentally applications that "expose" functions on the
open Internet and share the particular quality of being able to dynamically
cooperate depending on the nature of a request. Such dynamic interaction
beyond the firewall places new requirements on trust infrastructures.
VeriSign is participating in a number of initiatives related to PKI-based
trust architectures for Web services. By defining trust mechanisms in XML,
VeriSign is making the INternet safe for Web services, while paving the way
to PKI that is truly interoperable and ubiquitous. In this workshop,
VeriSign will address the confluence of trust architectures and Web services
industry initiatives, such as UDDI, WSDL, and SOAP.

In the world of Web services, trust operates from two perspectives: 

First, requests and responses must be authenticated. Without non-repudiation
and authenticated access, Web services will never scale to encompass truly
valuable services. The most common example of security requirements for
XML-based documents is for contracts and payment transactions. But services
must also be able to, for example, provide tiered services according to
cryptographically-ensured criteria. Web services must interact in ways that
reflect both corporate hierarchies and contractual relationships among
companies. 

Second, trust infrastructure must be made available as a Web service itself.
As new Web services are deployed, they should simply be able to "plug into"
open trust Web services, which function like utilities for authentication
operations. A major component of this requirement is that Web services be
able to share authentication data. PKI has never been known for its ease of
interoperation, so new initiatives are solving the issue of PKI
interoperation through the medium of XML.

Web Service Directories and Trust

Web service directories, such as UDDI,  provide standardized mechanisms
based in XML for dynamically discovering and integrating with Web services.
More than anything else, UDDI points the way to broad-industry acceptance of
dynamic service discovery and invocation over the Internet.  The question of
open Web service directories raises interesting issues related to trust,
such as data quality, integrity protection, and privacy. Several industry
initiatives are under way to address these issues: XKMS, SAML, and XTASS.

XKMS

XKMS enables applications to delegate key management to a Web service on the
Internet. The XML Key Management Specification (XKMS) defines XML messages
that enable applications to register key pairs, and then to locate keys for
later use or to validate information associated with a key. Cryptographic
keys can be generated by an application and then registered with an XKMS
service by sending the proper information about the keys in an XKMS XML
message. Applications can use this service to offload all key management,
including revocation, in case a key is compromised, and recovery, in case a
key is lost.

SAML

Formed out of the S2ML and AuthXML proto-standards, the Security Assertion
Markup Language defines an XML framework for exchanging authentication and
authorization information.

XTASS

XTASS builds on XKMS by providing a format for representing authorization
data that can in turn be associated with a public key. XKMS can be used to
manage, locate, and validate these keys, and an XTASS service can be used to
associate authorization data. In this way, broadly distributed trust
services can share key and authorization data, extending the breadth of
authorizations to the point at which it is feasible for dynamic
authorization checks to be performed.