© 2004 VeriSign, Inc.

Web Services and the Old World

Phillip Hallam-Baker

Principal Scientist

VeriSign Inc.

2

A Quotation

“I have seen the future and it has angle brackets.”A Web Services Architect

3

More Quotations

“Without Trust and Security, Web Services are dead on arrival.”Phillip Hallam-Baker

“Unless you fix Internet crime people are not going to be very confident in your ability to secure Web Services.”

One of his customers

4

Internet Crime

+ It is real, it is organized, it is for profit+ Spam was the start, phishing is the merely the current tactic

+ Has required a re-evaluation of legacy Internet protocol security+ Email was not designed to be secure

+ Phishing gangs are now exploiting that lack of security+ Direct losses due to fraud are hundreds of millions+ The cost of lost consumer confidence is potentially much higher

+ SSL held the line for ten years+ During which time little was done to improve the user interface+ Introduction of domain authenticated certificates reduced security assurance

+ IPSEC, DNSSEC don’t really meet the security issues of Internet crime+ Designed for very different threats

+ What is to be done?

5

Industry Solution – Retrofit Web Services Architecture

+ Not acknowledged as such (of course)+ Not even an acknowledgement that there is a systematic architecture+ But close similarities exist

+ Example: Web Services Discovery and Protocol Negotiation+ XML defines common protocol syntax+ XML-Schema defines data structures+ WSDL describes message set etc.+ WS-Policy allows negotiation of protocol version and features+ WS-SecurityPolicy allows negotiation of security context

+ Fixing Email+ Multiple schemes, SPF/Sender-ID, Domain Keys/Identified Internet Mail

+ But each adds a security policy layer to the existing SMTP protocol+ “All legitimate mail from this domain comes from these IP addresses”+ “All legitimate mail from this domain is signed”

6

Using the DNS for Protocol Policy Distribution

+ SPF (Sender Policy Framework) stores protocol policy in the DNS+ Lightweight & ubiquitous protocol designed for name resolution protocol

+ Works very well for policy distribution+ Has built in caching, time to live

+ No cryptographic security+ But this is now a matter of time due to level of attack

+ Why not extend to general security policy distribution protocol?+ Does this web site support SSL?

+ Negotiate transparent upgrade using HTTP SSL

+ Does this email server support SSL?+ Always on security

+ Why not distribute WS-Policy statements via DNS?+ We are not there - yet

7

Rediscovering the Edge

+ Traditional Internet architecture regarded firewalls as evil+ End-to-end security or nothing+ Usually ending up with nothing or next to nothing

+ Web Services & Web Services Security model embrace firewalls+ “Here is the information you need to let me through”

+ Security architectures to address Internet Crime rediscover the edge+ Authenticate email at the domain level+ Apply authentication to email at the edge server+ Verify authentication at the incoming edge

8

‘Web Services Lite’

+ Legacy Internet Protocols packaged in Web Services friendly form+ SOAP is not supported+ Protocol must be hand coded+ Syntax and specification are idiosyncratic

+ But allow client to answer important questions+ What version of the protocol are supported?+ What security enhancements are supported?+ Is there a pure Web Service connection available?

+ But acknowledge the fact that edge security is legitimate+ Network infrastructure is not abstracted away in security model+ End-to-End considered a cop-out, ignoring the real security issues

9

What are the Implications for Web Services?

+ Lessons learned #1+ Its not the technology, it’s the deployment strategy

+ Lessons learned #2+ Its not the standards body, it’s the constituency of stakeholders+ See Lesson #1

+ Lessons learned #3+ Make the barriers to entry exceptionally low+ See Lesson #1

+ Lessons learned #4+ The bad guys attack the system at its weakest point+ That is often the consumer+ See Lesson #1

10

What are the Implications for Web Services?

+ Web Services Lite is being deployed+ SPF/Sender-ID Email authentication has critical mass+ Considerable backing for Domain Keys/Identified Internet Mail+ Internet crime provides a major forcing function+ Expect businesses to sign SMTP mail by default in near future

+ It would be good to use as much Web Services experience as possible+ If only to serve as prototype deployment/sanity check for Web Services+ Legacy protocols are in flux, change is possible

+ Potential downside+ It is concluded that the legacy internet protocols are sufficient+ No need to move to new platforms such as SOAP

+ Potential upside+ Close many of the security holes that create ‘gotchas’ for Web Services+ Co-opt Web Services Lite to provide low barrier to entry for true Web Services

11

Beyond EDI with angle brackets

+ One view of Web Services is to provide ‘frictionless capitalism’+ XML is better than the ASN.1 in EDI because wind resistance of the

angle brackets is lower…

+ Web Services will connect big company to big company+ Electronic supply chain+ Smaller companies will be bullied into line and forced to comply+ Huge benefits for large companies+ Smaller companies with no ERM systems to integrate to will get ?

+ Perhaps there is another approach+ Support the small business doing one Web Services transaction a week+ Real-Time integration will still require infrastructure

12

Web Services without the server

+ Servers represent a real cost to a small business+ Software is expensive, requires specialist coding skills+ Maintenance is even more expensive+ Have to be on 24/7+ Reliability requires redundant configuration

+ Clients are cheap+ Software is subject to commodity pricing, off the shelf distribution+ Client connection is more forgiving, coding errors less disastrous

+ Email is ubiquitous and inexpensive+ With new cryptographic enhancements it is becoming reliably secure

13

Proposal: Use Email for the low cost entry point

+ Example: Electronic Invoicing+ Transition will mean that there are multiple speeds:

+ Large business supports e-Invoice Web Service+ Some small businesses and consumers opt to receive invoices by email+ Some still receive paper

+ Some businesses will interface their Web Services to paper+ Order received by Web Service, is printed out and sent to Accounts

+ Some businesses will have tight integration with their ERM system

+ Some will be using Quicken, QuickBooks or Microsoft Money+ Application recognizes message as an invoice+ Source is identified as trustworthy+ Automatically enter it into the ledger.

14

Conclusions

+ Internet Crime is affecting Web Services+ A major effect on consumer and business confidence in the Internet+ Requiring redesign of legacy protocols infrastructures

+ Many features of Web Services are being grafted onto the legacy base

+ Web Services can benefit from this process+ Make use of the secured legacy infrastructures

+ Use them to lower barriers to adoption+ Make Web Services into a mass market technology, not merely EDI mkII

© 2004 VeriSign, Inc.

Thank You