XML Web Services and Security

Because a large amount of web services are largely built on XML,  this has led to many new standards being developed in order to supply the basic security infrastructure to support it’s use.  Here is a quick list (which is by no means complete) of some developing technologies which may be of use to the reader.  It will hopefully flag up some further reading for any one new to XML development.

XML Signature – an XML specification for digital signatures.  These are essential to provide authentication, integrity of the message and of course non-repudiation.

XML Encryption – a companion to XML Signature – this addresses the need to encrypt and decrypt XML documents and sections of documents.

XML Key Management Specification (XKMS) – definition of messages and protocols for exchanging and distributing public keys.   It also has the facility to distribute these keys between unknown transaction clients.

Security Assertion Markup Language (SAML) – protocol for exchanging authentication and authorization information.

In addition to these important XML concepts, there are other technologies which should be considered.  For information and articles on security and anonymity particularly in large scale infrastructures – there is a lot of good advice particularly concerning proxies on this technology website – http://www.anonymous-proxies.org/ .

Other useful reading areas would be on more web technologies such as SOAP, WSDL and UDDI.   Although  these technologies all perform very useful services to any XML developer, they are particularly vulnerable to interception and eavesdropping attacks ‘on the wire’.   Because XML is often transmitted in clear text – SSL should be used for any private information.