Glossary

Advanced Encryption Standard. AES replaces DES as the newest government-sponsored symmetric block cipher encryption standard. AES is also known as Rijndael after its developer. In addition to 3DES, AES is the encryption method of choice specified in the XML Encryption specification.

Abstract Syntax Notation 1, published jointly by the International Standards Organization, the International Electrotechnical Commission, and the International Telecommunications Union. This structured data language allows well-defined data structures to be passed among differing applications and platforms. Unlike XML, it is a binary format. It is older than XML and is more compact. It is also the underlying format in all the PKCS key and certificate interchange specifications and is therefore important for current Web Services Security implementations .

Non-matching but mathematically related keys are used for encryption and decryption. One key (it does not matter which) is used for encryption. That key is useless for decryption. Only the matching key can be used for decryption. This process is referred to throughout this text as public key encryption. This concept will be used by XML Signature for key exchange to establish and transport a symmetric key for use in XML Encryption.

In SAML, once an identity (a subject) is established, an attribute-issuing authority receives the credentials for a subject with the intent of attaching certain attributes to these credentials. Examples of attributes that might be attached include the subject's current account paid status, credit limit, and so forth.

The process of an individual proving he really is someone who has already had his identity established. The receiver of a message needs to be able to ascertain its origin and not have an intruder masquerade as someone else. A message sender authenticates himself by providing a shared secret of some sort that the receiver has and that he also either has (a token or key), knows (a password, passphrase, or PIN) or is (biometric). Authentication in Web services will use the same mechanisms the Web has been using for some time, including username/password, X.509 digital certificates, and biometric devices. The form this will take in Web services is most often SAML.

An SAML authentication authority receives a subject's credentials. It processes those credentials according to its established policy. If the authentication process is successful, the authority asserts that subject S was identified and that it has authentically represented itself by method M at time T so that its digital identity can be trusted to represent its physical identity.

The process of establishing what someone who has been authenticated is allowed to do. The entity receiving the request for service will grant permissions for each identity to access certain items. In Web services, SAML is used for authorization ”specifying what they can do ”as well as for authentication ”specifying who they are.

An SAML authorization authority receives credentials for subject S along with a request for authorization. This authority asserts that subject S can be granted access of type A to resource R given evidence E. The subject could be a human or a computer (Web service) and the requested resource could be another Web service.

Timely, reliable access to data and information services for authorized users. Availability is a security requirement for Web services not only because it speaks to authorization of users, but also because security is compromised or meaningless in the face of unreliable services.

Transmitting binary data such as keys or digital certificates in printable textual form is the goal of BASE-64 encoding. Transmitting data this way is necessary if these objects are sent in the body of an email message, through a Web page, or as part of an XML message. Base-64 is used extensively in the Web Services Security specifications when cipher text is placed inline within the XML message itself (for example, CipherValue in XML Encryption).

An authentication protocol supported by most browsers. It is a method of authentication that encodes username and password data transmissions. Basic authentication is sometimes called "clear text" authentication because the Base-64 encoding can be decoded by anyone with a freely available decoding utility. Note that encoding is not the same as encryption.

One of three things a WSDL must specify in addition to operations and services. Binding defines how the operations will be performed. The two most common bindings are RPC/encoded and Document/literal. The first specifies a fine-grained request-response synchronous mode of communication. The second specifies a mode in which a document is contained within the message and the style of communication is asynchronous.

Binding also refers to the way SAML itself is made secure. A binding is a way to transport SAML requests and responses to and from SAML authorities. A binding is the mapping of SAML request/response message exchanges into standard communication protocols. The SAML specification requires SOAP over HTTP as one binding.

Aids in authentication by providing something you are . These aids include palm scan, hand geometry scan, retina scan, iris scan, signature dynamics analysis (how you move the pen), keyboard dynamics (your typing pattern), voice print, facial scan, and hand topology; others are being developed and perfected. Today in extensive experimentation, the most effective biometric (leading to the fewest false positives) is a palm scan, followed by hand geometry and iris scan.

A plaintext message first broken into fixed- size blocks before each block is encrypted. 3DES and AES are block encryption ciphers. XML Encryption uses only block ciphers.

Often abbreviated to C14N, a strategy for standardizing XML structures so that they compare identically across multiple platforms. C14N is critical because if even a single bit changes in a document that is being signed, the digest (hash) will not be the same and signature validation will fail. With XML in particular because it is text-based, certain differences may exist between an XML document and XML fragment that has nothing to do with the underlying meaning of the XML.

Therefore, XML is always canonicalized before being hashed or signed, and both sides of the communication must agree on the canonicalization method used.

The signer of certificates. Primary tasks include issuing, renewing, and revoking certificates. A CA will receive a Certificate Signing Request (CSR) that contains the just-generated public key along with some identifying information about the associated individual or entity. The certificate authority's job is to bind that identity to the public key so that all possible parties who rely on that public key can be sure it remains valid and associated with the entity. Examples of public CAs include VeriSign, GeoTrust, Entrust, RSA, and Comodo.

A digital certificate from one CA can be linked or "chained" to one from another CA for the purposes of increasing the trustworthiness of the certificate. Through a process called certificate path validation, an attempt is made to create a "path" of valid, non- revoked certificates to one of the defined trusted certificate issuers in the trust list accessible to the recipient of the initial certificate.

Common Gateway Interface is a way for a browser to execute any server function through script executed on behalf of the browser by the Web server. Early attempts to create the functionality of Web services were accomplished by having one server (acting like a browser) issue HTTP POST calls to cause CGI scripts to execute remote procedures on the Web server.

Because the most common encryption ciphers encrypt fixed-size blocks separately, you don't want blocks completely independent of each other because blocks could be subtracted from a message at will. If the previous block affects the encryption of the next block, common words or patterns cannot be detected in the cipher. This is important for XML-based documents because XML has such a strong common structure. So you need some way to create a relationship between blocks. CBC is the most common mechanism for this.

The process of taking plaintext (or cleartext) and disguising it in such a way as to make it indecipherable is called encryption. The output of this process is called ciphertext. Ciphertext is the input to the decryption process that, if successful, results in the starting plaintext.

The goal of cryptography is to keep messages secret. You want to prevent an attacker from eavesdropping and being able to either intercept or modify your messages. The way you accomplish this in general is through encryption, and for Web services, in particular, this is the domain of XML Encryption.

Common Object Request Broker Architecture. CORBA was a huge middleware project led by the Object Management Group . The underlying communications protocol used by CORBA was called Internet Inter-ORB Protocol (IIOP). Much of what was learned from the experiences with CORBA has shown up in simpler, better, cleaner standards for the Web services form of middleware.

Certificate Practice Statement. A CPS is a formal statement by a certificate authority (CA) about its processes such that a relying party can determine what level of trust to place in certificates signed by this CA. The CA can be thought of as a digital notary. A user 's identity is based on the assurance (honesty) of the notary. A certificate policy specifies the levels of assurance the PKI has to provide, and the Certificate Practice Statement (CPS) specifies the mechanisms and procedures to be used to achieve a level of assurance.

Certificate revocation list. Authentication of clients and servers requires a way to verify each certificate within the chain, as well as a way to determine whether a certificate is valid or revoked. A certificate could be revoked if a key is compromised or lost or because of modification of privileges, misuse, or termination. The most commonly used method of certificate revocation is through a CRL that a CA publishes in a well-known place.

CAs certify each other to establish lateral trust relationships and also issue cross-certificates to represent these trust relationships. The idea is that another CA has performed the identification procedure on an individual who is otherwise a total stranger to your CA and all organizations yours serves. But the two CAs have agreed that their processes are in lock-step and agree to cross- certify each other's certificates. Because Web services will cross many trust domain boundaries and therefore cross between CA domains as well, cross certification will be critical for Web services trust.

The art and science of breaking ciphertext ”that is, seeing through the disguise placed on plaintext to make it indecipherable. Cryptanalysis is part of a branch of mathematics called cryptology.

The art and science of keeping messages secure and secret. It is practiced by cryptographers. Like cryptanalysis, cryptography is part of the branch of mathematics called cryptology. Algorithms such as 3DES, AES, and RSA all came out of this branch of mathe matics.

Distributed Computing Environment. An effort to standardize various competing RPC technologies. DCE was driven by the Open Group ”a consortium of otherwise competing companies. The goal was distributed applications across heterogeneous systems. DCE was implemented as a set of software services that reside on top of the operating system. It was middleware that used lower-level OS and network resources. DCE broke ground on major distributed applications and formed the knowledge base from which Web services evolved.

Distributed Component Object Model. Microsoft took its COM and extended it to allow applications to be built from COM objects that resided in different networked machines. This was Win32 platform specific. DCOM was complex, fine-grained, and proprietary, but not scalable; however, it provided a critical foundation that went directly into Microsoft's .NET Web services.

The process of turning ciphertext back into plaintext. The algorithms for encryption and decryption require a key, which is a special numeric value that is required as a parameter for the algorithm to perform its task. The wrong key will get garbage out, not the correct output. Algorithms for encryption and decryption do not need to be and normally are not kept secret. It is the key that is kept secret.

Also known as DoS, an attack that disrupts the availability of systems and transmissions. If a system is made unavailable because it is so busy responding to a threat, a complete disruption of its intended purpose occurs. Intrusion detection systems and firewall configurations help stop DoS at the Web service endpoints.

Specific to J2EE, necessary to deploy J2EE applications. All information about deployment of the application is contained in one XML deployment descriptor. The deployment descriptor specifies all EJB components, Web components, and client components , and it is the place where security roles are defined. The deployment descriptor is created and modified during the life cycle of a J2EE Web service's development.

Data Encryption Standard and Triple-DES. DES is 25 years old; it was designed (and adapted over the years ) to work really well in hardware. DES uses a 64-bit key, 56 effective bits, and 8 for parity; plus, it operates on an 8-byte fixed-size block. Due to the fact that 2 ⁵⁶ possible keys made plain DES susceptible to a brute-force attack, the DES algorithm is run three times with a much longer key in 3DES. Triple-DES (3DES) uses a 192-bit key, of which 168 bits is the effective key length. The idea is to use DES three times: Encrypt-Decrypt-Encrypt. This makes 3DES very secure and, on hardware, very fast.

In XML Signature, a Detached Signature points to an XML element or binary file outside the <Signature> element hierarchy. The item being pointed to is neither parent nor child. This allows XML Signature to provide for integrity of completely external objects such as Web pages or binary files.

X.509 digital certificates are containers for public keys. Distribution of public keys is so important they needed containers; public authorities (certificate authorities) verify they are accurate; and a substantial infrastructure called Public Key Infrastructure creates, maintains, and administers them.

Also known as key transport . It combines digital signature concepts and XML Encryption to encrypt the encryption key with the public key of a specific recipient and put it into the KeyInfo/EncryptedKey block. The idea is to take advantage of the speed and unlimited plaintext size that can be encrypted with the key management capability of public key techology.

An electronic signature that can be used to authenticate the identity of a message's sender or of a document's signer. It delivers the core security principle of integrity by ensuring that the original content of the message or document that has been conveyed is unchanged. Digital signature involves a one-way mathematical function called hashing and uses public key (asymmetric) encryption. The basic idea is to create a hashed message digest and then to encrypt that.

Direct Internet Message Encapsulation, an IETF draft specification in progress. A format that enables binary encapsulation of messages. DIME is used to combine entries and data packages of different types and sizes that originate from applications into a single message construction. DIME is meant to address issues that MIME has with speed and efficiency, especially for large attachments.

An approach to computer-to-computer communication that separates an application into units that are executed on different computers and communicate through a network. The means of communication ”frequently euphemistically referred to as plumbing ”is called middleware. Web services are distributed computing based on Web technologies.

One of the two modes of interaction SOAP supports, the other being RPC/encoded. Document/literal supports a more loosely coupled approach. Document communications tend to be asynchronous and coarse-grained, making them suitable for inter-organization (for example, B2B) integrations.

Document Object Model. A standardized XML API that allows XML documents to be created and modified as if they were program objects. DOM makes the elements of these documents available to a program as data structures and supplies methods that may be invoked to perform common operations upon the document's structure and data. DOM is both platform- and language-neutral and is a standard of the World Wide Web Consortium (W3C).

Digital Signature Algorithm. A public key algorithm used as part of the Digital Signature Standard (DSS). DSA cannot be used for encryption, only for digital signatures. It is part of the required set of supported algorithms for XML Signature and therefore for WS-Security.

Document Type Definition. The Schema specification method for SGML and XML documents. DTDs are either contained in the document or belong to its external subset and are then referenced from within the document's document type declaration per URI. For XML, DTDs have now been replaced by the newer XML Schema specification method.

Enterprise Application Integration. A comprehensive framework for integrating multiple application systems. The merging of applications and data from various new and legacy systems within a business. Various means are employed to accomplish this, including middleware, to unify IT resources, maximize new IT investments, diminish errors, and more. XML and Web services are now added to the set of tools used to accomplish EAI.

Electronic Business using Extensible Markup Language. A standard XML-based Web services framework designed to support B2B integration. It greatly expands the power of electronic data interchange (EDI) on which it was based. It was a joint effort of OASIS and UN/CEFACT.

Electronic Data Interchange. A standard format for exchanging business data and documents (purchase orders, invoices, payments, inventory analyses, and others). EDI is an older version of electronic commerce between buyers and suppliers that is more cumbersome and costly than Internet-based commerce and therefore feasible only for large companies and their most significant trading partners .

The conversion ( scrambling ) of data, using a mathematical algorithm, into a form that cannot be read by unauthorized users. Encryption ensures message confidentiality. Authorized users need a decryption key to unscramble the information. There are different strengths of data encryption, determined by the algorithm used and the length (in bits) of the key used.

An Enveloped Signature in XML Signature is one where the <Signature> element is a descendent of the resource being signed. In other words, the reference points to a parent XML element.

A non-hierarchical "hub" that is designed to permit disparate agency public key infrastructures to interoperate seamlessly. In essence, the Federal Bridge allows one recipient to accept with confidence the sender's electronic credential even when identification was done by another member of the Federal Bridge system.

A single identity credential that can map to identity information on different systems within a circle of trust. This enables single sign-on across security domains. Partners in a federated identity network depend on each other to authenticate their respective users and vouch for their access to services. This is the basic premise of the Liberty Alliance.

Related to federated identity, federated trust involves the federation of security credentials (SAML) to allow businesses to securely integrate their networks with those of their customers, partners, employees , and suppliers.

A one-way mathematical function that creates a unique fixed-size message digest from an arbitrary size text message. One-way means that you can never take the hash value and re-create the original message. Hash functions are designed to be very fast and are good at never creating the same result value from two different messages (they avoid collisions). A digital signature is the encryption of the hashed message digest of the document to be signed.

Hashed Message Authentication Code. A key-dependent one-way hash function. Only someone with the identical key can verify the hash. Hashing is a very fast operation, so HMAC is a fast way to guarantee message integrity when secrecy and non- repudiation are not important but speed is.

Hypertext Transfer Protocol. An IETF standard protocol for distributed, collaborative, hypermedia information systems. HTTP is the protocol that Web browsers use to communicate with Web servers, and it is the first and most common protocol used by Web services.

A process through which a user ascertains the identity of a person or entity; a process that results in stored shared secrets that later are used in the authentication process in the form of a challenge that must be met correctly for successful authentication.

An individual or an entity that might be an organization or a machine that is part of an organization. Establishing identity is a critical prerequisite to determining the legitimate actions this identity may perform. Identity is initially established and verified in some trust domain by some third party resulting in credentials. A core concept for SAML.

Interface Description Language. A machine-readable language for defining interfaces enabling communication between computing systems independent of implementation language. Used in one form or another in all types of middleware such as DCE and CORBA. The Web services replacement for IDL is WSDL.

Internet Engineering Task Force. The IETF is a large, open international community of network designers, operators, vendors , and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. Responsible for TCP/IP, DNS, SSL/TLS, HTTP, SMTP, and FTP. Collaborates with NIST on security.

Internet Inter-ORB (Object Request Broker) Protocol. An object- oriented protocol that allows distributed programs written in different programming languages to communicate over the Internet. IIOP is a critical part of CORBA and formed part of the backdrop for how Web services standards and protocols evolved.

The ability to detect any modification to a message from when it was initially sent to when it is received. One of the core message-level security foundational elements that is addressed through digital signatures which encrypt a message and attach its hashed message digest to the original plaintext message before it is sent.

A Web services component that lies between the service requester and the service provider. It intercepts the request from the requester, provides the service (functionality), and forwards the request to the service provider. Similarly, it intercepts the response from the service provider and forwards it to the requester.

Java APIs for XML-based RPC. A WSDL-aware RPC-style Java API for SOAP. JAX-RPC makes SOAP look and feel like RMI. JAX-RPC is the J2EE standard way to insert a message-observing component into the J2EE server sending and receiving XML that is critical to Web service and XML communication monitoring and analysis.

Java 2 Enterprise Edition. A Java-based, runtime platform created by Sun used for developing, deploying, and managing multi- tier server-centric applications on an enterprisewide scale. J2EE is the Java framework to use when building Web services in Java much as .NET is the Microsoft framework to use when building Web services for Windows.

An authentication protocol first developed at MIT and standardized by OSF. It is the primary authentication mechanism used in Windows. A Kerberos authentication token is called a ticket. Kerberos is an alternative approach to shared keys useful only in a closed environment. Its importance to Web Services Security is that when services cross organization boundaries and therefore cross trust domains, provisions have to be made to map between Kerberos and other trust environments.

Key escrow is a very important and controversial aspect of PKI. Key escrow is about storage and retrieval of private keys to recover data in the absence of the private key owner. Key escrow goes against the idea of a private key. Requirements for key escrow/recovery systems may come from customer support, or legal or policy requirements. International PKI implementations may require key escrow to comply with government and law enforcement restrictions.

The digital enveloping strategy used in WS-Security whereby the shared (symmetric) key to be used for XML Encryption is wrapped by the public key of the recipient and is placed in the WS-Security header.

A project developing a set of standards that allow you to use an SAML authentication assertion across multiple security domains. The Liberty federated identity infrastructure allows you to create a circle of trust with your affiliates . Although each member of this circle maintains and protects his or her unique user information, a single federated identity credential can be used as proof of authentication with all members of the circle.

A dangerous type of attack in which an attacker intercepts all the communications between two parties, making each think that it is communicating with the other. The SSL/TLS protocol was specifically designed to protect against this attack and is the reason SSL should always be used in point-to-point Web services connections.

Message Digest 5 (after MD1 “4 were improved upon). A one-way message-digest hash function. It processes input text and creates a 128-bit message digest that is unique to the message and can be used to verify data integrity. MD5, developed by Ron Rivest, is intended to be used in digital signature applications. Earlier message digest algorithms include MD2 and MD4. SHA1 is stronger than MD5 and is now the recommended choice for digital signature applications.

Another word for a hash value. The result of running a hash function. It is the message digest that is encrypted to form the basis of a digital signature.

Software systems that sit between application code and its underlying platform, providing easy access to core system facilities such as the network, storage, and processors. Web services add a set of core standards and protocols to the existing Web technologies to create middleware for the Internet.

Multipurpose Internet Mail Extensions. A specification defined in 1992 by the Internet Engineering Task Force (IETF) for formatting and attaching non-ASCII messages so that they can be sent over the Internet. Broadly used in email systems, enabling them to send and receive graphics, audio, and video attachments. Web browsers also support various MIME types. SOAP Messages with Attachments propose MIME as an approach for handling attachments to SOAP messages.

A huge initiative and set of technologies from Microsoft that the company considers its "platform for the digital future." The most important aspect of .NET for the subject of this book is XML Web services. .NET includes the .NET Framework, Visual Studio .NET, .NET My Services, and a set of .NET Enterprise Servers. Microsoft has developed new languages to support these efforts (C# and J#) and has fully endorsed XML to the extent that even the Office Suite tools generate and consume XML.

An arbitrary set of random bytes generated on the client side that helps prevent replay attacks as well as adding entropy to the resulting password digest. It is used to deal with the issue of a password being passed in the clear.

The assurance that the sender is provided with proof of delivery and that the recipient is provided with proof of the sender's identity so that neither can later deny having processed the data. Digital signature supports non-repudiation.

Organization for the Advancement of Structured Information Standards. A consortium that develops standards for Web services and e-business including SAML, WS-Security, ebXML and XACML. At http://www.oasis-open.org.

Online Certificate Status Protocol. Used to provide real-time validation of a digital certificate's status. An OCSP responder is used to respond to certificate status requests on the basis of CRLs (Certificate Revocation Lists) provided to it by certification authorities. XKMS provides a means to do revocation and status checks on certificates as a Web service.

Platform for Privacy Preferences Project. A project of the World Wide Web Consortium (W3C) that provides an easy way to learn about and react to the way Web sites may be using personal information. P3P is forming the framework on which WS-Privacy is being developed.

Microsoft's approach to single sign-on. Consumers are asked to store commonly used personal information in a Passport profile stored at a Microsoft data center. This information can be transmitted after authentication to any participating site. One clear benefit it has is the elimination of the proliferation of dozens of passwords that just causes password security to degrade. Detractors are concerned about concentrating more power over consumers in the hands of a central dominating company.

Information contained in the SOAP body. This information is being sent from one application to another. It might be a full document such as a purchase order or contract. Or it might be a description of remote procedure call information, including the methods to call and the parameters to those method calls.

Pretty Good Privacy. Invented by Philip Zimmerman, PGP uses symmetric key encryption and the RSA algorithm with keys up to 2047 for key management and digital signatures. Its one-way hash algorithm is MD5. PGP encrypts a user's private key using a hashed passphrase instead of a password. PGP uses a distributed key management scheme with no certification authorities. The concept is instead a "Web of Trust"; this is symbiotic with the fundamental nature of the Internet. PGP is one of the authentication methods supported by SAML.

Public Key Cryptography Standards. A set of inter-vendor standard protocols for making possible secure information exchange on the Internet using a Public Key Infrastructure (PKI). Interactions with certificate authorities are among the most common usage of PKCS standards. For example, PKCS#10 is the certification request standard. PKCS#12 is the way private key information is stored.

Public Key Infrastructure. A security infrastructure for the Internet designed by the IETF to ensure that, for an online transaction, the person is who she says she is and that no one else has access to the information. Under PKI, a digital certificate is generated by a trusted third party certificate authority (CA) and verified by a registration authority (RA). This digital certificate is a unique electronic credential used to generate personalized encryption keys.

A message that is completely readable and is in no way scrambled or disguised. It is the input to an encryption algorithm that produces ciphertext and is the output from a decryption algorithm that operates on ciphertext.

A PDP is the part of the SAML infrastructure responsible for making decisions about access control based on one or more parameters. Simple types of access can be granted, or complex conditional access such as a specific group on a specific day at a specific time can be granted access. PDPs can be implemented using XACML.

A PEP is part of the SAML infrastructure responsible for policy enforcement. A PEP makes a connection to the appropriate PDP for the decision. The policy function is evaluated with data supplied from the PEP to the PDP.

A PRP is an optional part of the SAML infrastructure. One is required if the PDP is external to the system, in which case the PDP uses the PRP to retrieve policies for the decisions it is required to make.

The WSDL where part. A WSDL element that defines the endpoint of a Web service implementation. The Web service implements a specific binding of a portType.

The identity of valid users must move around when information moves from one trust domain to another, so portable trust was an early requirement for Web Services Security.

An integrated and personalized Web-based interface to information, applications, and collaborative services. Access to most portals is limited to corporate employees (an intracompany portal) or corporate employees and certain qualified vendors, contractors, customers, and other parties within the extended enterprise (an intercompany portal).

The normal mode of operation for HTTP when interacting with Web sites. The almost desperate use of HTTP POST as an integration scheme for Web-based applications foretold the need for Web services. Using this approach, one site that had a Web application accessed by humans through browsers could be integrated into another site's Web application by posting all the interactions necessary to "fool" the service-provider site into thinking a browser was interacting with it. When bound to HTTP as the transport protocol, SOAP uses POST / GET as its communication mechanism.

Public key systems work with paired keys, one of which (the private key) is kept strictly private and the other (the public key) is freely distributed. It is vital for trust in signed or encrypted communications that the private key never leaves the possession of its creator.

For authentication, public key technology depends on the notion of something you have, which is the private key. In the case of an X.509 certificate, proof of possession means a digital signature, and in the case of WS-Security, it means an XML Signature. This proves that the sender has possession of the private key matching the public key you rely on.

A set of standardized rules for exchanging information among computers. Different protocols are used for different kinds of communication. HTTP is a transport protocol used by SOAP. SOAP is a message-level protocol used by Web services. SAML includes protocols to communicate with SAML authorities. XKMS includes protocols to communicate with security token services.

An intermediary application that acts as a liaison between a client and a server. In Web services, a client proxy is a communications routine, generated from a WSDL file that a client application uses to invoke a service. Proxies are also used to intercept Web services messages to perform various security or management functions.

Public key encryption is the way you deliver integrity, non- repudiation, and authentication to XML messages and to Web services. Public key encryption is also referred to as asymmetric encryption because there are two different but matched keys: Whichever one is used to encrypt requires the other be used to decrypt.

An entity that is responsible for identification and authentication of certificate subjects but that does not sign or issue certificates (that is, an RA is delegated certain tasks on behalf of a CA).

A person or agency that has received information including a certificate and a digital signature verifiable with reference to a public key listed in the certificate, and is in a position to rely on them. The relying party relies on the validity of the binding of the subscriber's name to a public key. The relying party is responsible for deciding whether or how to check the validity of the certificate by checking the appropriate certificate status information. The relying party can use the certificate to verify the integrity of a digitally signed message to identify the creator of the message or to establish confidential communications with the holder of the certificate. A relying party may use information in the certificate to determine the suitability of the certificate for a particular use. The relying party is the owner of the application.

When an attacker gains access to authentication information of an authorized entity that is then used to falsely gain access to a network or application. WS-Security includes facilities designed to help thwart replay attacks such as the inclusion of a time stamp in a UserNameToken .

The process of changing the status of a certificate from valid or suspended to revoked. The status of a certificate as revoked means that it should no longer be relied upon by any entity for whatever purpose. Revocation checking has been problematic in PKI systems. XKMS provides facilities for revocation checking.

Access control, which is often called rights management , determines who can look at something, what they can do with it, the type of device they can use to look at it, the conditions of their access, and the time frame in which it will be allowed. XACML and XrML are two XML standards that deal with rights management.

Remote Method Invocation. Java-based technology that allows Java programs to access the objects of another Java program running on a different computer.

A CA must be trusted or vouched for by someone who is trusted. A root CA is trusted by everyone. Root CAs have their public key embedded in common tools (such as servers and browsers) that other CAs link to in certificate chains.

Remote procedure call. A middleware system that uses a synchronous, client/server-based style of communication. A client uses RPC to invoke a procedure to be executed on a remote, networked system. RPC makes the remote procedure appear as if it were local.

A constrained way to structure SOAP messages to simulate an RPC request. The request message contains a method name and the parameters needed to execute the method call. The response message contains the result of the remotely executed method.

Rivest, Shamir, and Adelman are the inventors of a public key cipher that can be used both for encrypting messages and making digital signatures. The company the inventors founded ”RSA Data Security Inc. ”takes its name from this algorithm.

Security Assertion Markup Language. An XML framework for exchanging authentication and authorization information. The basis for portable identity. One of the WS-Security recognized security token types.

SAML defines a set of assertions, a protocol, and a set of bindings. The SAML protocol describes a request/response interaction with SAML authorities for policy decisions and enforcement. They are trusted third parties such as certificate authorities.

An SAML profile describes how SAML assertions are embedded into and extracted from a framework or protocol. SAML profiles are like documented processes that define patterns of SAML usage needed to secure a resource. Profiles have been defined for browsers, for securing SOAP, for WS-Security as part of the WS-Security specification, and for Liberty Alliance.

Simple API for XML. An event-driven interface in which the parser invokes one of several methods supplied by the caller when a parsing event occurs, such as recognizing an XML tag, finding an error, encountering a reference to an external entity, or processing a DTD specification.

Pieces of information used for authentication or authorization added to a SOAP header. WS-Security starts with XML security and combines it with pre-existing security technologies (such as X.509, Kerberos, and others), which it then binds to SOAP using constructs called security tokens. Examples of security tokens are usernames/passwords, X.509 digital certificates, SAML assertions, and Kerberos tickets.

An STS forms the basis of trust by issuing security tokens that can be used to broker trust relationships between different trust domains. An STS provides a Web service with a way to determine whether it will trust an incoming request from a different (possibly unknown) trust domain. WS-Trust defines how an STS works. WS-Policy allows a Web service to specify what it requires from an STS for incoming requests.

In RPC mode, an important function of SOAP is a set of encoding rules that define a serialization mechanism that creates a standard way of capturing programming language data elements such as integers, strings, and complex structures in a language-neutral, interoperable format. The result is a remote procedure call expressed in XML and serialized by SOAP over HTTP.

An architectural approach for linking resources on demand. In an SOA, resources are made available to other participants in the network as independent services that are accessed in a standardized way. This provides for more flexible loose coupling of resources. An SOA defines mechanisms for describing services, advertising and discovering services, and communicating with services. Most RPC-based middleware ”including Web services ”uses SOA.

A server-based Java applet that operates in conjunction with a Web server and offers an alternative to using Common Gateway Interface (CGI) to communicate with Web server processes. A WSDL file describes where a service resides through a specific URL address that in many cases will be a servlet that processes incoming Web Service requests.

Standard Generalized Markup Language. SGML is a 1986 ISO standard indicating how to specify a document markup language or tag set. SGML is not in itself a document language, but a metalanguage for how to specify one. HTML and XML are examples of SGML-based languages.

Secure Hash Algorithm 1 (1 because of an understanding that there will someday be a 2). Developed by NIST and NSA, it has superceded MD5 (which had weaknesses) as the preferred hash algorithm used in digital signatures.

Also known as symmetric key or secret key. The sender and recipient both have the same key used for encrypting and decrypting a confidential message. It is the basis for XML Encryption and SSL.

Information representing something you know communicated between two parties at identification time. The shared secret is later used for authentication to prove that a digital identity maps to a known physical identity. Checking shared secrets is typically done in a challenge-response mode, as in "what is your mother's maiden name" and is best combined with another authentication factor such as something you have or something you are .

A signature transform provides the essential capability of being selective about the data within a message that is being signed while still including mutable information in the signature itself. Signature transforms work like a waterfall with one's input being the output of the previous transform. Types of signature transforms that can be applied include canonicalization, Base-64 decoding, XPATH filtering, XSLT transform, and enveloped transform. An important practical use of signature transform is in a legal document that needs multiple digital signatures.

An important procedure a signed message recipient must perform to confirm that the <SignedInfo> element in an XML Signature has not been changed, can prove integrity, and that the appropriate key has signed this information, which proves non-repudiation.

Allows a user to log in once with a recognized security authority and use the returned login credentials to access multiple resources. Microsoft's Passport and the Liberty Alliance were motivated by the need for SSO, especially with Web services. The Web services security standard for SSO is SAML.

The standard for Web services messages. Based on XML, SOAP defines an envelope format and various rules for describing its contents. Seen (with WSDL and UDDI) as one of the three foundation standards of Web services, it is the preferred protocol for exchanging Web services messages.

Secure Socket Layer. Invented by Netscape and then renamed Transaction Layer Security (TLS) when it was turned over to IETF. Most commonly used for browser-to-server security for e-commerce. SSL is effective at maintaining confidentiality of transactions and will be broadly useful for Web services point-to-point security.

In XML Encryption, using an <EncryptedData> element to encrypt other <EncryptedData> elements is called super encryption. This capability is useful when you have a confidential document with multiple recipients involved.

When the same key is used to both encrypt and decrypt the message. This key must be kept secret from all non-intended parties to keep the encrypted message secret.

When WS-Security is used with a username/password security token, a time stamp is added to create "freshness" constraints on messages to defend against replay attacks.

In SAML, a claim, statement or declaration of fact (according to someone) specifying authentication, authorization, or attributes.

One organization or entity that operates with a consistent set of policies and certification practice statements used to establish identity and what those identities are allowed to do.

Combining two of the three authentication schemes ” something you have, something you are , and something you know ”to increase the level of trust in the result.

Universal Description, Discovery, and Integration. An OASIS standard for a registry of Web services. A UDDI registry is a Web service that manages information about service types and service providers.

Uniform resource identifier. The address of an Internet resource. A URI is the unique name used to access the resource. It is not necessarily a specific file location (it may be a call to an application or a database, for example), which is why it is preferred over the similar acronym URL.

Uniform resource locator. The global address of resources on the Internet. Relating it to URI, URL substitutes locator for identifier and is a URI that is bound to a physical network address.

Uniform resource name. A URI that is simply a name. It cannot be dereferenced. Used for namespaces in XML documents. A URI with a DNS registered hostname is guaranteed to be unique across the entire Internet.

World Wide Web Consortium. A consortium that develops standards for the World Wide Web, including HTML, XML, SOAP, and many other technologies.

An application that provides a Web API. A Web service is a software application identified by a URI, whose interfaces and bindings are capable of being defined, described, and discovered as XML artifacts. A Web service supports direct interactions with other software agents using XML-based messages exchanged via Internet-based protocols.

WebTrust for CAs is an audit process defined by the Association of Independent Certified Public Accountants (AICPA) that independently audits each CA to assess whether it meets a minimum standard for disclosures, policies, practices, and monitoring procedures.

A to-be-published specification that will define how authorization decisions are made in the context of Web services. Very similar in objectives to XACML, it will be heavily influenced by it.

Web Services Description Language. An XML format to describe the various network services and associated parameters and data types hosted by a system. A WSDL file tells a client what SOAP services are available and how to use them.

A to-be-published specification that will describe how to manage and broker the trust relationships in a heterogeneous federated Web services environment. It is built out of WS-Security plus WS-Policy plus WS-Trust plus WS-SecureConversation.

Provides a general-purpose model and syntax to describe and communicate the policies of a Web service. It defines a base set of constructs that can be used and extended by other Web services specifications to describe a broad range of service requirements, preferences, and capabilities. The goal is a common language for describing the rules for interacting with a Web service, or what a client requires of a Web service, regardless of whether the domain is security, privacy, transactions, or any other category.

Defines a set of common policy assertions that are applicable across all Web services. Included are what character sets are supported, what languages are supported, what specification versions are supported, and required message predicates.

Defines how policies are attached to a resource. One way is through additions to WSDL (but Web service clients do not have WSDLs), and the other way is to have the policy stand alone and point to the Web service with which it is associated.

A to-be-published specification that will establish a set of policies to be enforced on Web service endpoints with rules for dealing with personally identifiable information about human participants. It is built on WS-Policy plus WS-Trust plus WS-Security.

Establishes a mutually authenticated security context in which a series of messages are exchanged. WS-SecureConversation does at the SOAP layer what SSL does at the transport layer. WS-SecureConversation uses asymmetric encryption to establish a shared secret key and from then on uses symmetric encryption for efficiency.

The Web Services Security extension is a set of optional SOAP features. It includes XML Signature, which is used to sign XML data to provide integrity and origin. It also includes XML Encryption, which is used to encrypt XML data to provide confidentiality. Numerous security tokens are supported in WS-Security, allowing portable identity (SAML), public key transport (X.509), rights management information (XrML), and others.

Provides a set of WS-Security “specific policy assertions used to publish information about all aspects of WS-Security. It is built out of WS-Policy plus WS-PolicyAssertions plus WS-PolicyAttachments.

Defines extensions to WS-Security that provide methods for issuing and exchanging security tokens, and ways to establish and access the presence of trust relationships. Most importantly, WS-Trust defines a request/response mechanism for obtaining security tokens from a Security Token Service.

Part of International Telecommunications Union-T X.500 specification that defines a framework to provide and support data origin authentication and peer entity authentication services, including formats for X.509 public key certificates, X.509 attribute certificates, and X.509 certificate revocation lists. One of WS-Security's supported security token types.

eXtensible Access Control Markup Language. An OASIS specification for representing authorization and entitlement policies. XACML represents the rules that specify the who, what, when, and how of information access control for rights management .

XML Common Biometric Format. An OASIS specification that defines an XML vocabulary for representing and exchanging biometric information in XML. XCBF tokens are a type of security token supported by WS-Security.

XML Key Information Service Specification. This is the part of the XKMS specification that defines a protocol for Locate and Validate operations. These operations support the delegation of the processing of key information to a service. Such key information processing might be associated with an XML Signature, XML Encryption, or any other PKI situation.

XML Key Management Specification. Allows PKI to operate as a trusted Web service. Consists of two protocols: X-KISS for key validation and X-KRSS for key registration.

XML Key Registration Service Specification. Part of the XKMS specification that defines a protocol for Register, Recover, Revoke , and Reissue operations that support the registration and management of a key pair for use in XML Signature, XML Encryption, or any other PKI situation.

eXtensible Markup Language. A W3C standard data format for electronic documents and messages. It is a self-describing meta-markup language that provides a universal data format that can be interpreted, processed, and transformed by any application running on any platform.

A W3C standard that defines a process for encrypting and decrypting all or part of an XML document. Uses shared key cryptography to deliver the core security principle of confidentiality. XML Encryption is a fundamental building block for WS-Security.

A collection of element and attribute names identified by a URI reference. An XML Namespace prevents collisions between semantically different elements that happen to have the same name in different documents in much the same way a class in C++ or Java keeps the names of local data or methods from colliding with those in other classes.

A W3C standard, XML Schemas are created to define and validate an XML document. Unlike DTD, XML Schema is an XML format itself. XML Schemas describe data types and specify any required ordering of elements. Web services use XML Schema to define the format of communicating XML messages.

A W3C standard that defines a process digitally signing all or part of an XML document. Uses public key cryptography to deliver the core security principles of integrity and non-repudiation. XML Signature is a fundamental building block for WS-Security.

An XML-based protocol for performing remote procedure calls over HTTP. A precursor to SOAP. XML-RPC is SOAP without the Envelope or Header elements, and restricted to RPC over HTTP.

XML Path Language. A standard naming convention for accessing XML elements within a document. Allows for consistent addressing and naming of document elements. XPATH is the result of an effort to provide a common syntax and semantics for functionality shared between XSLT and XPOINTER. XPATH is used in XML Signature to determine exactly what is being signed.

XML Pointer Language is a W3C Working Draft. It builds on XPATH to provide a framework for addressing the internal structures of XML documents, such as elements, attributes, and content.

An SQL-like language covering much the same functionality as XSLT with a data-centric transformation as opposed to a document-centric transformation. Relies on XPATH.

eXtensible Rights Markup Language. A universal method for securely specifying and managing rights and conditions associated with all kinds of resources, including digital content and services. Part of the effort to create an infrastructure to manage digital rights on copyright and for-fee content that is moved across the public networks. One of the supported WS-Security tokens.

eXtensible Stylesheet Language Transformations. XSL is the language used to define how XML elements are to be displayed and presented, and XSLT is the use of the XSL language to transform XML data into specific output, such as HTML.