Summary

This chapter has dealt with some of the most important aspects of security in electronic commerce and the digital economy: privacy, integrity, auditing, and nonrepudiation. You'll notice that we covered nonrepudiation at the end of this chapter and the previous chapter, which covered authentication and authorization. That was by design. Nonrepudiation requires all the other supporting technologies to be effective.

We discussed many of the trade-offs you'll have to make when performing authentication and authorization, as well as some best practices if you decide to create or augment your own security services. Make sure you perform security due diligence when creating your own services. In our experience of reviewing many Web-based products, we've seen that custom-written security mechanisms are often vulnerable to attack.

You have many security tools and technologies to choose from. This and the previous chapter should help you decide which are appropriate for your application and where you need to add functionality to accommodate your business' security requirements. In the next chapter, we return to our main example and build the canonical end-to-end delegation solution using Kerberos authentication; we'll also show how to adjust the solution to meet your requirements.