How The Internet Can Be Fixed -- Right Now
In May of last year, I published my thoughts on how to save the Internet in a whitepaper [PDF] and a series of Security Adviser posts, including "Fixing the Internet" and "Defending 'Fixing the Internet'." At the time I believed that it would take a bunch of new protocols to begin to pull off my vision, and I still believe that, at least for the full vision.
However, I did a disservice by not discussing the protocols and standards that already exist today, particularly a number of relatively new security protocols that are already helping to make the Internet a safer place. Created by many, many experts, these protocols aren't pie-in-the-sky dreams, but have already emerged as de facto standards. Any future Internet-based security system will likely use them, and perhaps contain all of them.
These are some of the protocols that are helping to build a more secure Internet:
Simple Object Access Protocol (SOAP) is a platform independent, XML-based protocol for sending messages (that is, data) between Web services and participating networks. If HTTP is the circulatory system, SOAP messages are the red blood cells.
Security Assertion Markup Language (SAML) is an XML-based standard for communicating identity, authentication, and authorization information between security domains. SAML 2.0 is quickly being accepted and adopted by most major players.
Web Services specifications and extensions (WS-*) are various (often unrelated) messaging standards related to Web services and frequently surrounding the security of Web services. The Web Services (WS) specifications themselves deal with how various applications and computers can successfully and reliably communicate over untrusted networks such as the Internet.
WS-Security is a general-use communications protocol covering security specifications as applied to Web services. It discusses how to ensure confidentiality and integrity across the Web. WS-Security uses SOAP messages to ensure end-to-end security at the application layer.
WS-Federation incorporates the mechanisms and protocols to allow unrelated security domains to securely communicate identity and authentication information. This standard enables separate authentication domains to communicate, creating the foundation for larger realms of trust across ever larger security domains, perhaps global in scope. WS-Federation is a big deal.
WS-Trust is a Web service specification dealing with identity/authentication security tokens. It covers provisioning, de-provisioning, renewing, and validating participating tokens. Used with WS-Federation, WS-Trust allows applications in different security domains to broker trust relationships between entities that might otherwise have a hard time doing so.
Security Token Service (STS) is a Web service that issues security tokens as defined in the WS-Security and WS-Trust specifications. Any authentication provider that issues security tokens can be considered a STS if it conforms to some general principals as described in the specification.
OpenID is a decentralized way to exchange identity/authentication tokens between the provider and consumer of a Web service. It can manage and protect multiple types of authentication, including passwords, digital certificates, and two-factor security tokens. A single user can have multiple OpenID credentials and submit the appropriate one when requested. Supported by many of the world's largest vendors, OpenID is expected to become a de facto Web browser standard in the near future. Microsoft recently announced that its CardSpace implementation (in Windows XP Pro and later) and Windows Live IDs already conform to the OpenID specification.