WS-Security Vs SSL
One might think, why i should go for XML Web Services(XWS is a WS Security implementation from Sun Microsystems) Security when other security methodologies exists? What are the differences between WS-Security Vs SSL?
Very Very rational to ask!
Here are the couple of reasons why SSL doesn't fit the bill for web services communication:
#1. SSL is good only for POINT-TO-POINT communication:
SSL works by encrypting the transport data between two end points. For a Web Service, the call routes through more intermediaries nodes than just two end points. Where as, WS Security solves this problem and its an END-TO-END Solution.
#2. Authentication becomes difficult on SSL:
SSL must be used to secure the communication between all the points on the network to solve the END-TO-END problem, which makes it very difficult to verify that the message was signed by the client.
#3. SSL is fasten to HTTP protocol:
The Web Services has a flexibility to bind to other transports like SMTP, TCP, JMS, FTP etc. as the implementation matures. Though the message syntax remains the same only the underlying transport changes. This type of feature is not an option in the SSL world.
#4. Encrypting/Signing partly in the Message not possible with SSL:
One of the advantages with the XWS is that, we can partly encrypt or sign the SOAP message which is not possible with SSL. Eg. Just encrypt the credit card & expiration date in the commercial transactions
But, there are some overheads one should be aware of with any WS Security implementation is that, about XML parsing, and the message element lookups etc since we are targeting for a few elements rather than for whole SOAP message.
I will talk more on XWS implementation in the upcoming blog notes. If you have any questions, you know where to ping me.
Hasta La Vista!
Very Very rational to ask!
Here are the couple of reasons why SSL doesn't fit the bill for web services communication:
#1. SSL is good only for POINT-TO-POINT communication:
SSL works by encrypting the transport data between two end points. For a Web Service, the call routes through more intermediaries nodes than just two end points. Where as, WS Security solves this problem and its an END-TO-END Solution.
#2. Authentication becomes difficult on SSL:
SSL must be used to secure the communication between all the points on the network to solve the END-TO-END problem, which makes it very difficult to verify that the message was signed by the client.
#3. SSL is fasten to HTTP protocol:
The Web Services has a flexibility to bind to other transports like SMTP, TCP, JMS, FTP etc. as the implementation matures. Though the message syntax remains the same only the underlying transport changes. This type of feature is not an option in the SSL world.
#4. Encrypting/Signing partly in the Message not possible with SSL:
One of the advantages with the XWS is that, we can partly encrypt or sign the SOAP message which is not possible with SSL. Eg. Just encrypt the credit card & expiration date in the commercial transactions
But, there are some overheads one should be aware of with any WS Security implementation is that, about XML parsing, and the message element lookups etc since we are targeting for a few elements rather than for whole SOAP message.
I will talk more on XWS implementation in the upcoming blog notes. If you have any questions, you know where to ping me.
Hasta La Vista!
Posted by Sunil Prakash on April 28, 2007 at 02:43 AM PDT #
SMTP and FTP over ssl are reality today.
Posted by 95.33.80.213 on April 02, 2009 at 01:44 AM PDT #