 | |||
|
Wednesday February 13 2002 Digital Signatures and Web Services Signing Your Service Printer-friendly
HTML version Digital Signatures are a standard in security and cryptography for applications, and are becoming more widespread in their use. We will take a look at industry standards and support for use of Digital Signatures in the Web Service area. We will incorporate reasons why Digital Signatures are important, as well as why they are being adopted quickly. Let's start out by defining what a Digital Signature is. A Digital Signature, in its simplest form, is a cryptographic piece of data that is attached to a piece of code. The piece of code could be program code, Web Services, or XML messages. The Digital Signature is meant to provide assurance to the receiving user (end user) that what it is they are working with is unaltered or has its original integrity. Digital Signatures also fulfil an important non-repudiation function, allowing us to identify the author of the code to which the signature is attached. Since integrity is very important in the computer products that are delivered today, it is good that one by-product of using Digital Signatures is a widespread acceptance of the product that it represents. A simple example of this is the use of digitally signed device drivers in the Windows 2000 and XP products from Microsoft. In the example of device drivers, the Digital Signature is used to provide instant feedback to a technician about the integrity of the product being installed. To understand how Digital Signatures and Web Services fit together, we need to look into Digital Signature developments in XML. Digital Signatures and XML Standards In this section we will be discussing emerging XML standards in relation to Digital Signatures. We will look briefly at the XKMS and XML DSig specifications before we look at the support for using these standards in Web Services in the next section. The XKMS and XML DSig specifications are meant to work in concert with each other. Let's begin by looking at a little history in regards to Web Services and security, and why we need to look at enhancing such standards. When we look at the history of the Web, no other medium has ever driven computer security measures in the same way that e-commerce and Web based interchange have done. As we know, integrity on the Web is very important, and consumer confidence will be driven by it. Web Services present additional challenges in that they are applications that flow through Web sites to other Web sites, which could be potential for greater caution because of having more than one source of information on a Web site. Even though we may trust the Web site we logged into, the Web Service attached to that site could be from a different source. It is therefore incumbent upon both the site and Web Service provider to make sure that security and verification measures are in place to continue our confidence through to using the entire site. As these concerns have risen to the surface there has been a realization of the need to enhance the historical methodology of using certificates for security with a deeper schema of being able to provide security mechanisms down to the message level. The emerging standards are a welcome and beneficial thing in that regard. The challenge that lies ahead will be to streamline and make Digital Signatures and their infrastructure less costly from a performance perspective. XKMS The XML Key Management Specification (XKMS) is a standard that was submitted to the W3C to outline a process for managing XML based Digital Signatures in the Web Services environment. It is built on WSDL and SOAP. It is meant to define the protocol necessary for distributing and registering public keys used in the XML-DSig specification to be discussed next. The XKMS specification is made up of two parts: the first being the X-KISS (XML Key Information Service Specification), and the second being the X-KRSS (XML Key Registration Service Specification). XML DSig Specification XML DSig specifications have been submitted to the W3C, and are meant to provide tools and guidelines on how to incorporate Digital Signatures into XML Documents. It is being worked on jointly by the IETF and W3C, and provides the syntax and procedures for Digital Signature usage within XML documents. When choosing to implement Digital Signatures, the tools should provide:
The above list is by no means comprehensive, but does provide a guideline for selecting a Digital Signature toolset. From here let's now talk about how we integrate the two standards described above into our Web Services environment. Digital Signatures and Web Services As we said above, XKMS is based on SOAP and WSDL, and is meant to provide management services to the Web Services developer for management of Digital Signatures that are part of a Web Service. In this section we will look at a scenario that will play into how Digital Signatures should be integrated into Web Services and the reasons why. The scenario involves a Web Service that would need to track signatures for multiple parts of the Web Services XML document. In this case the Digital Signatures would be enclosed within the XML document. This would come in handy if a contract was being sent to a receiver for signature and return. An example of this would be a real estate brokerage firm that might offer its contracts for offers on homes to be processed via a Web Service. That way other agencies could partner with them and take advantage of the service and the processing needed for those types of deals. In our scenario, a real estate contract was sent, and it has multiple pages, each page needing a signature. As illustrated below, as the XML message was being read at the signer's end, the application would generate and track the appropriate Digital Signatures, ensuring the tracking, encryption, and timestamping of each signature. Upon completion of the message it would be returned to the sending business, where the signatures would be verified and logged.
Alternatively, we could provide one Digital Signature for the entire document, a process that would be very similar to the one outlined above, only a bit quicker as there is less information to secure. As seen above, Web Services integration with Digital Signatures and XML documents has many uses. It will indeed be both viable and beneficial to take advantage of these specifications in the future development of Web Services. Conclusion Digital Signatures are evolving into an industry standard tool for authentication, verification and tracking documents that require signature and encryption techniques. There is ongoing work in this area and we will continue to see toolsets and support evolve. The extended PDF version of this article is available now. Digital Signatures and Web Services by
Whitney Hankison Purchase the extended PDF version of this article from:
Adobe Acrobat format (PDF) - 439K Printer-friendly
HTML version Keep up to date with all the new articles and features on
Web Services Architect: |
