|
SAML (Security Assertion Markup Language), 54. See also contracts/contract law
access control types in, 112–113
architecture of, 109–110
assertions in, 54, 102, 274–275
assertions and liability, 277
assertions, securing, 277
AttributeQuery XML, 115–117
authentication methods supported by, 108
authentication scenario, typical code for, 111–112
authorization decision request (sample code), 132–133
checklist for, 118
commercial products supporting, 113
deploying, 113
and “distributed trust,” 274
legal value of, 278
as messenger, not guarantor, 276–277
Microsoft support of, 113
and PDP/PEP, 35, 109, 110–111
and portable trust, 54, 102–103
role in UDDI, 243–244
SAML request in UDDI, sample code for, 244–246
VeriSign Trust Services Integration Kit, 114
and WS-Security (sample code for), 178–179
XACML, commonality with, 128
saml:NameIdentifier, 224
save_binding, 235
save_business, 235
save_service, 235
save_tModel, 235
script kiddies, 56
security, 22, 260–261. See also authentication and authorization; contracts/contract law; encryption; firewalls; .NET (Microsoft); .NET servers; SOAP (Simple Object Access Protocol)
anticipated and managed failure of, 281–282
application-layer security, 55–57
and biometrics, 34, 278–279
buffer overflow attacks, 56
computer security, 84
confidentiality, use of SSL in, 38
content-filtering security at application layer, 58–60
and contract law, 260–261
directory traversal attacks, 56
DoS (Denial of Service) attacks, 36
end-used based security, 43–44
firewalls, choosing/configuring, 37–38
multiple security contexts, 47–48
OSI (Open System Interconnect), 37
Padlock icon, 23
PDP (Policy Decision Point), 35
PEP (Policy Enforcement Point), 35
persistent security, 51–52
RBAC (role-based access control), 35, 121
script kiddies, 56
session and transport layers, 38
shared cultural assumptions, importance of, 280–281
smartcards, 33–34
S/MIME application layer, 39, 53
SOAP implementations, vulnerability of, 57
SOAP security, challenge of, 42–43
SOAP worms, 57
SQL attacks, 56, 196–198
tickerSymbol, vulnerability of, 59
transport level security vs. full end-to-end security, 266–267
URL string attacks, 56
Web Services, security challenges of, 43
in XACML, 134–137
XML Schema, advantages of, 10
servers. See .NET servers
service provider, 205
serviceKey, 230
SessionIndex, 212, 225
set_publisherAssertions, 236
<SignatureMethod>, 240
signatures, digital. See contracts/contract law
<SignatureValue>, 241
<SignedInfo>, 240
SigningKey, 80
SingleLogoutProtocolProfile, 207
SingleLogoutServiceURL, 207
smartcards, 33–34
S/MIME
as pre-XML Encryption standard, 53
as secure application layer, 39
use of PKCS#7 in, 39, 66–67
SOA (Service Oriented Architecture), 5
SOAP (Simple Object Access Protocol). See also encryption; security; WS-Security; XML (various)
advantages over SOA, 11
in B2B implementations, 11–12
and end-user security, 43–44
filtering SOAP requests by XML Firewall, XML proxy, 57
firewalls and SOAP filtering, 58–60, 292
“get time” request, 59
implementations, vulnerability of, 57
message syntax, analysis of, 16–17
and multiple security contexts, 47–48
requests, order of execution of (in XACML), 128–130
requests, processing in XACML, 131–133
“reset computer” request, 59–60
routing among multiple parties, 17–18
routing between multiple Web services, 48–50
SAML data/assertions in, 54, 102, 106
SOAP Fault message analysis, 18–19
SOAP messages and WS-Security, 52
SOAP security, challenge of, 42–43
SOAP worms, 57
WS-Security, 52
as XML enveloping technology, 11
SOAPAssertionProviderFactory, 114
SoapEndpoint, 207
SOAP-SEC, and replay attacks, 77
SPKI (Simple Public Key Infrastructure), 139. See also keys; PKI (Public Key Infrastructure)
SPProviderNameIdentifier, 217
SSL (Secure Sockets Layer)
and confidentiality, authentication, 38
contractual effect/security of, 278
in navigating firewalls, 4–5
practicality of, 51
SSO (Single Sign-On), 53–54. See also Liberty Alliance Project
and the Liberty Alliance Project, 54–55, 209–210
Passport technology approach to, 54
and SAML, 54
<Statement>, 107
static binding. See binding, dynamic/static
structured documents
EDI vs. XML (example), 6–7
using XML DTDs, 8–9
using XML Schema, 9–10
Subject, 245
<Subject>, 107
<SubjectConfirmation>, 108
<SubjectLocality>, 108
<SubjectStatement>, 107
Susskind, Richard E., 260
|