7.6 QA: A time to recap and reflect

Previous page
Table of content
Next page

7.6 Q&A: A time to recap and reflect

Q: Have corporations had a change of heart when it comes to Web services?

a: yes and no. the technological underpinnings of web services and their potential when it comes to developing new enterprise applications are essentially beyond reproach and are not in question. however, the overall climate of distrust and security-related paranoia that has permeated north america and western europe since 9/11, exacerbated by the unending attacks on security soft spots on windows platforms, has had a marked impact on how corporations are currently opting to use web services. rather than pursuing applicable web services that may be on offer on the web from unknown third parties, corporations, for the time being at least, are electing instead to exploit web-services technology as a new, standards-based component model for software being developed in-house or by trusted partners. in essence the use of web services is being confined to intranets and extranets.

Q: Is security an insurmountable issue when it comes to Web services?

a: no-most certainly not. while one cannot downplay the need for stringent security in any web services related scenario, it is important to keep things in perspective and to objectively evaluate the security implications of using a particular service on a case-by-case basis. concerns about security need to be proportional to the actual sensitivity of the data involved. thus, one should not generalize matters in this instance. there will be many web services that deal in relatively innocuous data-for example, a weather service or even microsoft s mappoint web service for mapping applications. some will argue that knowledge of even the invocation of an external web service, irrespective of the data that was exchanged, may provide a competitor or hacker with some level of insight. again, it all depends on the application. one should use web services with portals-particularly public portals. if such a portal routinely invokes web services dealing with weather, mapping, horoscopes, stock indexes, and so on, one will be hard pressed to argue that knowledge that these web services are being invoked would provide a competitor with significant intelligence-even though some would counter that knowing the rate at which these services are being invoked could indicate the popularity of that portal. the point here, however, is that it is indeed possible to have scenarios involving remote web services where security should not be the show-stopper-with the caveat that one always does have the option of still using available and appropriate security measures such as authentication and encryption.

Q: Is adequate security technology currently available to make remotely invoked Web services viable ?

a: by and large the answer to this has to be a resounding yes. at this juncture one should not lose sight of the fact that e-commerce continues to grow and that trillions of dollars worth of financial transactions, including online banking and online trading, take place over the web on a daily basis. all of the technology used for these types of transactions, such as digital certificates, digital signatures, ssl, and two-factor authentication, are also available to be used in web services based applications. a big concern with web services is that of rogue web services, where this could be due to an unscrupulous provider or a compromised platform. however, similar rogue trader or rogue web site scenarios are possible with e-commerce. one minimizes the danger of this by dealing with reputable sites. the same should apply to selecting web-service providers. provided you are dealing with a reputable service provider and are using all of the available and pertinent security technology (e.g., digital certificates, ssl) it is indeed feasible to use remotely invoked web services-particularly if one is dealing with data that is not ultrasensitive.

Q: Is it possible to locate, evaluate, license, and start using a Web service, all on the fly, over the Web, similar to buying and downloading a virus protection subscription online, using a credit card?

a: yes, this will indeed be possible. this on-the-fly, everything done across the web, e-commerce-based model, facilitated by uddi, was the initial and compelling vision for web services. it was even going to be possible to do all of this programmatically with the uddi apis. this original software functionality on-tap, over the web, paradigm will continue to prosper, and one might check to see that the oft-mentioned microsoft mappoint service does indeed pander to this. this model will be the only one of interest to a large portion of the software development community (i.e., the cottage-industry sector made up of talented individual programmers and those who are working for small firms). large enterprises selecting best-of-breed web services for mission-critical applications may only espouse this totally dynamic, all-electronic paradigm for web-service evaluation when the software is being invoked from stringently partitioned test machines. once they have located a promising service, the norm today is to revert to a traditional, big-ticket purchasing routine involving reference checks, credit checks, background checks, contracts, and so on.

Q: What are digital certificates?

a: digital certificates are electronic credentials issued by a trustworthy organization such as a large company or a security-specific entity such as verisign. a dc vouches for an individual s, a business s, or an application s identity and authority to conduct secure transactions over the web. dcs are in essence the internet equivalent of a travel passport. they are a universally accepted means of establishing one s identity and thus gaining entry to a protected resource. dcs are meant to replace traditional user ids and passwords, which are not as secure or trustworthy. they are thus the preferred means for authenticating users and applications in today s internet world.

Q: What is the role of SSL in relation to Web services?

a: ssl, a client/server-based security mechanism developed by web browser pioneer netscape communications in 1996, is the accepted and trusted basis for most of today s secure transactions across the web. ssl is a transport layer (i.e., layer 4) security protocol that works on a client/ server basis. it provides authentication, integrity, and data privacy for applications running above the tcp layer (i.e., layer 3). ssl uses digital certificates to authenticate the server and the client of a particular transaction. in the case of web services, this authentication would be for an application and the web service it intends to invoke. the authentication can be bidirectional (i.e., both the application and the web service make sure that they are indeed talking to whom they think they are). following a successful authentication, the ssl sets about negotiating a common encryption scheme acceptable both to the client and the server. ssl does not do the end-to-end data encryption. ssl relies on well-established industry standards (e.g., 168-bit triple des) and commercial ciphers (e.g., rsa). what it does is negotiate an encryption scheme acceptable both to the server and the client-and then invokes this mutually accepted encryption scheme for encrypting the data flowing between the client and the server. thus, the security services provided by ssl in web-services scenarios would involve bidirectional authentication via digital certificates, acceptable encryption scheme negotiation between the application and the web service, and invoking the accepted encryption scheme to ensure that the data flowing between the application and the web service is indeed encrypted and tamperproof on an end-to-end basis.

Q: What are the new security standards being developed for the Web-services arena?

a: there are a raft of new web services related security specifications being worked on. in some cases the goal of these specifications is to add xml support to existing technologies (e.g., xml signature syntax and processing as well as xml key management specification [ xkms ]). in other cases the goal is to add security measures to soap (e.g., ws-security, ws-security addendum, ws-trust, etc.). a list of these security-related specifications can be found in table 1.1 . for the latest status of these specifications, as well as for news on any new security-related specifications, one should visit www.xmlweb.org .

Q: Is it possible to have Web services that are not deployed on Java or .NET platforms?

a: yes, most certainly. java and .net are today s strategic and popular software development platforms, particularly in the corporate arena. web services, though truly a technology of the twenty-first century, are not, however, confined to these two new software platforms. web services can be deployed on any platform that offers an appropriate web-oriented transport that a calling application is willing and able to support. web services are programming language and platform independent-as is the case for the applications that wish to invoke web services. thus, it is indeed possible to have web-services scenarios that do not involve java or .net. c and c++ on unix and linux platforms are obvious candidates for web-services scenarios, as are traditional transaction processing systems such as ibm s cics and bea s tuxedo.

Q: What are the potential pricing models for Web services?

a: there will be a wide spectrum of pricing options for web services, ranging from freeware to expensive, premium offerings, coupled with many permutations, in the case of the nonfreeware offerings, as to how the pricing will be structured. the pricing options available will definitely include one-time charge schemes, periodic licensing (e.g., monthly or yearly), and umpteen usage-based options.

Q: Is management going to be an impediment to the deployment and use of Web services?

a: no.

Answers

A: Yes and no. The technological underpinnings of Web services and their potential when it comes to developing new enterprise applications are essentially beyond reproach and are not in question. However, the overall climate of distrust and security- related paranoia that has permeated North America and Western Europe since 9/11, exacerbated by the unending attacks on security soft spots on Windows platforms, has had a marked impact on how corporations are currently opting to use Web services. Rather than pursuing applicable Web services that may be on offer on the Web from unknown third parties, corporations, for the time being at least, are electing instead to exploit Web-services technology as a new, standards-based component model for software being developed in-house or by trusted partners . In essence the use of Web services is being confined to intranets and extranets.

A: No ”most certainly not. While one cannot downplay the need for stringent security in any Web services “related scenario, it is important to keep things in perspective and to objectively evaluate the security implications of using a particular service on a case-by-case basis. Concerns about security need to be proportional to the actual sensitivity of the data involved. Thus, one should not generalize matters in this instance. There will be many Web services that deal in relatively innocuous data ”for example, a weather service or even Microsoft s MapPoint Web Service for mapping applications. Some will argue that knowledge of even the invocation of an external Web service, irrespective of the data that was exchanged, may provide a competitor or hacker with some level of insight. Again, it all depends on the application. One should use Web services with portals ”particularly public portals. If such a portal routinely invokes Web services dealing with weather, mapping, horoscopes, stock indexes, and so on, one will be hard pressed to argue that knowledge that these Web services are being invoked would provide a competitor with significant intelligence ”even though some would counter that knowing the rate at which these services are being invoked could indicate the popularity of that portal. The point here, however, is that it is indeed possible to have scenarios involving remote Web services where security should not be the show-stopper ”with the caveat that one always does have the option of still using available and appropriate security measures such as authentication and encryption.

A: By and large the answer to this has to be a resounding yes. At this juncture one should not lose sight of the fact that e-commerce continues to grow and that trillions of dollars worth of financial transactions, including online banking and online trading, take place over the Web on a daily basis. All of the technology used for these types of transactions, such as digital certificates, digital signatures, SSL, and two-factor authentication, are also available to be used in Web services “based applications. A big concern with Web services is that of rogue Web services, where this could be due to an unscrupulous provider or a compromised platform. However, similar rogue trader or rogue Web site scenarios are possible with e-commerce. One minimizes the danger of this by dealing with reputable sites. The same should apply to selecting Web-service providers. Provided you are dealing with a reputable service provider and are using all of the available and pertinent security technology (e.g., digital certificates, SSL) it is indeed feasible to use remotely invoked Web services ”particularly if one is dealing with data that is not ultrasensitive.

A: Yes, this will indeed be possible. This on-the-fly , everything done across the Web, e-commerce-based model, facilitated by UDDI, was the initial and compelling vision for Web services. It was even going to be possible to do all of this programmatically with the UDDI APIs. This original software functionality on-tap, over the Web, paradigm will continue to prosper , and one might check to see that the oft-mentioned Microsoft MapPoint service does indeed pander to this. This model will be the only one of interest to a large portion of the software development community (i.e., the cottage-industry sector made up of talented individual programmers and those who are working for small firms). Large enterprises selecting best-of-breed Web services for mission-critical applications may only espouse this totally dynamic, all-electronic paradigm for Web-service evaluation when the software is being invoked from stringently partitioned test machines. Once they have located a promising service, the norm today is to revert to a traditional, big-ticket purchasing routine involving reference checks, credit checks, background checks, contracts, and so on.

A: Digital certificates are electronic credentials issued by a trustworthy organization such as a large company or a security-specific entity such as VeriSign. A DC vouches for an individual s, a business s, or an application s identity and authority to conduct secure transactions over the Web. DCs are in essence the Internet equivalent of a travel passport. They are a universally accepted means of establishing one s identity and thus gaining entry to a protected resource. DCs are meant to replace traditional user IDs and passwords, which are not as secure or trustworthy. They are thus the preferred means for authenticating users and applications in today s Internet world.

A: SSL, a client/server-based security mechanism developed by Web browser pioneer Netscape Communications in 1996, is the accepted and trusted basis for most of today s secure transactions across the Web. SSL is a Transport Layer (i.e., Layer 4) security protocol that works on a client/ server basis. It provides authentication, integrity, and data privacy for applications running above the TCP Layer (i.e., Layer 3). SSL uses digital certificates to authenticate the server and the client of a particular transaction. In the case of Web services, this authentication would be for an application and the Web service it intends to invoke. The authentication can be bidirectional (i.e., both the application and the Web service make sure that they are indeed talking to whom they think they are). Following a successful authentication, the SSL sets about negotiating a common encryption scheme acceptable both to the client and the server. SSL does not do the end-to-end data encryption. SSL relies on well-established industry standards (e.g., 168-bit triple DES) and commercial ciphers (e.g., RSA). What it does is negotiate an encryption scheme acceptable both to the server and the client ”and then invokes this mutually accepted encryption scheme for encrypting the data flowing between the client and the server. Thus, the security services provided by SSL in Web-services scenarios would involve bidirectional authentication via digital certificates, acceptable encryption scheme negotiation between the application and the Web service, and invoking the accepted encryption scheme to ensure that the data flowing between the application and the Web service is indeed encrypted and tamperproof on an end-to-end basis.

A: There are a raft of new Web services “related security specifications being worked on. In some cases the goal of these specifications is to add XML support to existing technologies (e.g., XML Signature Syntax and Processing as well as XML Key Management Specification [XKMS]). In other cases the goal is to add security measures to SOAP (e.g., WS-Security, WS-Security Addendum, WS-Trust, etc.). A list of these security-related specifications can be found in Table 1.1. For the latest status of these specifications, as well as for news on any new security-related specifications, one should visit www.xmlweb.org.

A: Yes, most certainly. Java and .NET are today s strategic and popular software development platforms, particularly in the corporate arena. Web services, though truly a technology of the twenty-first century, are not, however, confined to these two new software platforms. Web services can be deployed on any platform that offers an appropriate Web-oriented transport that a calling application is willing and able to support. Web services are programming language and platform independent ”as is the case for the applications that wish to invoke Web services. Thus, it is indeed possible to have Web-services scenarios that do not involve Java or .NET. C and C++ on UNIX and Linux platforms are obvious candidates for Web-services scenarios, as are traditional transaction processing systems such as IBM s CICS and BEA s Tuxedo.

A: There will be a wide spectrum of pricing options for Web services, ranging from freeware to expensive, premium offerings, coupled with many permutations , in the case of the nonfreeware offerings, as to how the pricing will be structured. The pricing options available will definitely include one-time charge schemes, periodic licensing (e.g., monthly or yearly), and umpteen usage-based options.

A: No.



Previous page
Table of content
Next page
Web Services[c] Theory and Practice
Web Services[c] Theory and Practice
ISBN: 1555582826
EAN: N/A
Year: 2006
Pages: 113
BUY ON AMAZON
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Network Security Architectures
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
GO! with Microsoft Office 2003 Brief (2nd Edition)
Extending and Embedding PHP
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy