Few Internet technologies have elicited as much interest as Web services. This interest is almost evenly distributed between the promise of the technology and concerns about the potential problems it may bring. In this context, Web services security and Extensible Markup Language (XML) security have received a lot of general attention; concrete technical articles on these topics, however, continue to be hard to find. These proceedings, from the ACM Workshop on XML Security, fill the vacuum in this area at just the right time.
Unfortunately, I missed the workshop. I have, however, discovered much useful information in the proceedings. The collection is divided into four sections: “Encryption,” “Secure Web Services,” “XML Applications,” and “Web Services Applications.” Each section contains two or three papers, selected from multiple submissions by the workshop committee, headed by Michihary Kudo of IBM Research and Phillip Hallam-Baker of Verisign.
Section 1, focusing on encryption, contains two papers. Geuer-Pollmann presented “XML Poll Encryption,” where he proposed an alternative method of XML encryption that makes it possible to hide the size and existence of encrypted contents from traffic analysis. The goal of his proposal is to achieve consistency
between XML encryption (World Wide Web Consortium (W3C) specification), which supports the encryption of subtrees in an XML document, and XML access control (another specification), which permits more granular restrictions in relation to descendant and ancestor nodes in an XML artifact. The paper describes these differences in approach between the two specifications in detail, before proposing a pool encryption mechanism based on encrypting the nodes separately, and moving them to a new position in a pool of encrypted nodes. This approach is closer to the XML access control specification, in terms of the level of granularity. Whether or not the reader agrees with the pool approach or finds that it adds unnecessary complexity to the problem, the paper will be worthwhile reading for both novice and expert computer scientists interested in XML security, since it addresses a range of issues in this area.
The second paper in Section 1, “A Stream-based Implementation of XML Encryption,” by Imamura, Maruyama, and Clark, addresses an implementation problem: the use of Xerxes native interface (XNI) in conjunction with the implementation of the XML encryption specification. The authors compare XNI to document object model (DOM) and simple application programming interface (API) for XML (SAX)-based APIs, describe the design of the XNI implementation, and conclude with a performance evaluation of the XNI implementation versus other methods. This is a well-documented study, which will be of interest to those who are engaged in hands-on activities involving XML encryption.
Section 2 focuses on secure Web services, and contains three papers. It starts with Gordon and Pucella’s paper, “Validating a Web Services Security Abstraction.” The authors draw from earlier work on secure remote procedure call protocol (RPC), and model the abstraction based on object calculus with semantics translated to a lower-level language. The most theoretical paper of the set, this paper will be welcomed by those who are interested in creating abstract models for secure messaging and secure Web services, and linking these to concrete implementations. The paper introduces readers to a range of theoretical concepts, and concludes with an example implementation. In the past two years, we witnessed the emergence of strong interest in Web services registries
(for example, universal description, discovery, and integration (UDDI) and electronic business XML (ebXML)) that gradually receded because of the perceived supplemental nature of a registry.
Adams and Boeyen focus on the potential of Web services registries in “UDDI and WSDL Extensions for Web Services - a Security Framework.” The paper outlines concrete steps to achieve Web services security by improving UDDI and Web services description language (WSDL) specifications. The approach consists of achieving registry security in order to provide trustworthy information, transaction security to ensure trust among the participants in transactions, and linkage with infrastructure to enable Web Services to benefit from security mechanisms located outside of the Web services framework. The paper places UDDI at the center of coordinating trust and security enablers for Web services (WS). This new functionality, going beyond discovery (the foundation of UDDI), may revive interest in UDDI as a vital part of the WS framework.
“Designing a Distributed Access Control Processor for Network Services on the Web,” by Kraft, completes the section. Extending the notions of the abstract security model and WS security enablers described in the previous papers, Kraft formulates the design model for a generic access control for Web services, paying some attention as well to the definition of the general authorization framework. The paper is an excellent source of information on many issues, from users’ perceptions of the importance of WS security to specific approaches to the design of authorization messages. Those interested in authorization and access control will find this informative and well-written paper very useful.
Section 3, focusing on XML applications, contains three papers describing security issues in mostly multimedia applications. Kodali and Wijesekera propose an access control model based on synchronized multimedia integration language (SMIL) in “ Regulating Access to SMIL-formatted Pay-per-view Movies.“ While recognizing that there are security mechanisms appropriate for multimedia, some already existing (XML encryption) and some under development (XML authorization), the authors propose to extend these specifications and proposals for use in “synchronized multimedia documents released on the Internet.” Their paper starts with a good overview of related work, and a description of SMIL itself, leading to a description of the access model proposed by the authors and the encryption model for SMIL-encoded multimedia distribution. This paper will be interesting reading for the developers of commercial pay-per-view multimedia systems.
“Towards and XML Format for Time Stamps,” by Wolters, Preneel, and Gonzalez-Tablas, addresses a very practical and seemingly simple problem: the ways in which to encode multiple legitimate formats for time stamps in XML. The paper provides a useful classification of time stamping standards, and explains how these standards can be consolidated through proposed main structures to ensure uniform and reliable communication with time stamping authorities (TSAs). The paper concludes with the proposed time stamping schema. The final paper of the series, “XrML - Extensible Rights Markup Language,” by Wang et al., focuses on the vital issue of formalizing the approach to assigning, retaining, and reallocating digital rights (digital rights management (DRM)). The standard described in the paper has been submitted to OASIS for further development. The paper explains the concept and components of XrML as a general-purpose rights language. The paper will be very useful for novice developers of DRM-enabled applications. Additional information can be obtained at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=rights.
The final section of the proceedings focuses on Web services applications. The need and mechanisms to ensure the authenticity of the data are addressed in “Authenticating Distributed Data Using Web Services and XML Signatures,” by Polivy and Tamassia. The authors propose an authenticated dictionary, which authenticates the source while returning the response to queries. Their paper primarily addresses systems “where the clients trusts the source, and not the responder.” The authors provide a detailed description of the architecture of such systems, concrete implementations of the architecture, and results of experimentation with prototype implementations. The second paper, “Towards Securing XML Web Services,” by Damiani, di Vimercati, and Samarati, is a review paper, discussing standardized approaches to maintaining access control and integrity of Web services. The paper contains good information on the XML-signature specification and simple object access protocol (SOAP), and enumerates and explains issues in XML security. It will be a good source of information for those just beginning to study XML security in relation to Web services. The final paper, “Dynamically Authorized Role Based Access Control for Secure Distributed Computation,” by Kuo and Humenn, explains the use of common secure interoperability (CSI) ATLAS and security standards such as Security Assertion Markup Language (SAML) to implement role-based security in distributed systems. The fact that the description of the main topic of the paper includes several acronyms confirms that it is a specialized paper, directed to those familiar with the field.
All four sections combined create a comprehensive view of XML security, from theory to applications. The scope of papers ranges from reviews of an area and explanations of specifications, to the presentation of novel and complex ideas. Each paper contains an excellent bibliography, embracing adjacent fields, as well as XML and WS security. I found this publication useful, both as a source of new ideas and as a reference tool, and I recommend it to specialists in XML or in computer and application security.