Telling stories about web services security

I spent yesterday in Boston at a joint W3C/OASIS Forum on Security Standards for Web Services , part of the XML Web Services One conference. (If you're going there this week, note that although the conference page says the event is at the Seaport Hotel across the street from Boston's World Trade Center, it is in fact at the WTC.)

The morning was dedicated to what we awkwardly call "use case scenarios" -- more colorfully, storytelling. The storytellers were from publishing (Lexis/Nexis' Chet Ensign), aerospace (Boeing's Steve Whitlock), finance (Niteo Partners' Kevin Cronin), and government (the U.S. OMB's Kim Johnson). The stories were about electronic publishing, search and retrieval of engineering documents, collaboration with parts suppliers, corporate cash management, and government recordkeeping. The moral of each story, and of all the tales collectively, was a laundry list of requirements for web services security standards. This was a terrific format. It reminds me of Alan Cooper's persona-driven methodology for software specification. I'd be interested to know much of the original design of WS-Security and SAML was guided by stories as specific as these. My guess is not enough, but I'd like to be proven wrong.

One of the requirements that came through loud and clear was "make it buildable and understandable." Chet Ensign, for example, pointed out that while big players like Lexis/Nexis can "program their way out of any mess that gets made" 1, the weak links in the chain are the smaller fry -- customer-partners who lack development resources, and need turnkey solutions.

1 Not, he added parenthetically, to imply that a mess is being made. He thinks the standards process is working pretty well so far.

The contrast between Ensign's digital rights requirements, and Cronin's financial requirements, helped to clarify the risk/value continuum along which security solutions are arranged. Electronic publishing doesn't (yet) involve the kinds of high-value transactions that compel Cronin to anticipate and solve every imaginable kind of spoofing or denial of service attack.

Lexis/Nexis, on the other hand, faces massive rights-management challenges. When the Supreme Court ruled in the Tasini decision that freelancers hold electronic rights, the ownership of tens of thousands of documents in the Lexis/Nexis archive suddenly changed.

For Boeing, with a huge investment in LDAP and CORBA, the question is how to avoid what security architect Steve Whitlock calls the Jurassic Park syndrome. Remember the scene in which the characters scramble down from their tree-bound crashed car, only to have it fall on top of them? ( "Well, we're back in the car again." ) Whitlock, who doesn't want to end up there again, points to the dark side of web services security: we've been there before, and wrapping angle brackets around everything doesn't change the name of the game.

Whitlock (who, apropos of nothing, colorfully describes an airplane as "five million parts flying in close formation") also gave a sobering assessment of what better identity management could mean to an organization like Boeing. The yearly help-desk bill for resetting lost passwords adds up to over one million dollars!

The afternoon was a whirlwind review of specs: WS-Security, SAML, XKMS, XML Encryption, XML Signature, and several rights-management proposals. Although I've read many of these, the overview was really helpful. Rights management aside, it became clear -- as Netgrity's Prateek Mishra noted in the Q and A -- that the rest of the specs are pretty cleanly partitioned and complementary to one another. But, he asked, what's the story with Rights Language and XACML , which two different OASIS committees are pursuing? "Will the one with the more lawyers win?" Entegrity's 2 Hal Lockhart, who presented the two specs, noted (as did Jamie Lewis ) that DRM isn't just a political train wreck, it's also a poorly-defined space that nobody really knows how to partition.

2 Note to would-be startups: tenegrity is apparently still available, being used at the moment only as a misspelling of tensegrity .

Kudos to the W3C and to OASIS for this well-conceived and well-executed forum. It definitely helped me see the big picture developing. As somebody said during the wrap-up, web services security -- without which, everybody agrees, web services will be dead on arrival -- isn't a binary, all-or-none deal. In most respects, it seems likely we'll soon have enough of a framework to get started. The elephant in the room, as Scott Bradner (of Harvard and the IETF) did not hesitate to say, is key distribution and management -- not a new problem of course, but a huge obstacle. Bradner sees no way around it. VeriSign's Phillip Hallam-Baker begs to differ. He thinks XKMS is the breakthrough we desperately need. But that's a story for another day.

Former URL: