Security Requirements

Coordinator
Feb 13, 2009 at 8:20 PM
Edited Feb 13, 2009 at 8:21 PM

On todays call, the question was raised over whether we should focus on a SOAP oriented webservices model or on a RESTful model.  While there seemed to be some support for the latter, the question of what security would look like in the RESTful case, given that it does not have anything directly comparable to the security frameworks/standards that appear in SOAP implementations.  I gave it a little thought and it occurred to me that it would help for us to agree on what our security requirements are before evaluation whether any given solution meets those needs. 

If it helps to frame the discussion, let me throw this question out there: What do we need to do from a security standpoint, that goes beyond what is provided by HTTPS?

Thoughts anyone?

 

Also, since REST and how security would be handled in it seems to be a relatively new topic for many of us, here are a few discussions on the subject which can help provide some food for thought.

Message Level Security and REST
http://72.249.21.88/nonintersecting/?year=2007&monthnum=05&day=25&name=message-level-security-and-rest&page=

Security and REST Web Services
http://blip.tv/file/234422/

RESTful Security
http://72.249.21.88/nonintersecting/2006/12/01/restful-security/

 

Something I came across today, but have not had a chance to look into more deeply is OAuth.  I don't know if it would be of use to us but I figured I'd throw it out there for people to review and discuss.
http://oauth.net/

 

Coordinator
Feb 17, 2009 at 12:25 PM
I think HTTPS(SSL) generally only provides transport encryption and protection from man in the middle attacks without authentication.   Authentication is necessary to ensure that only known partners are connecting and messages match the authenticated identity.   Certificate based authentication can be used with SSL but I think that the management challenges make certificates not the best choice especially for peer-to-peer messaging. 

--John

Coordinator
Feb 17, 2009 at 7:52 PM
I found the write-up amazon provides for authenticating requests to the S3 service worth a look.  It describes how they use the standard HTTP authentication header in REST services.  

http://docs.amazonwebservices.com/AmazonS3/latest/index.html?RESTAuthentication.html

--John