Q&A: VeriSign's Phillip Hallam-Baker on Web services security

BOSTON -- IT professionals should wait for the Web Services Security specification to be finalized and implemented before they start building sophisticated Web services that extend beyond their company's firewalls, according to the specification's co-author.

Phillip Hallam-Baker, principal scientist at Mountain View, Calif.-based VeriSign Inc., said it could take between six months and two years to nail down the WS-Security specification that he helped to write. Hallam-Baker spoke with Computerworld's Carol Sliwa about the state of Web services security during this week's XML Web Services One Conference here.

The WS-Security specification was announced in April by IBM, Microsoft Corp. and VeriSign and was turned over to the Organization for the Advancement of Structured Information Standards (OASIS). A technical committee working to advance WS-Security will hold its first face-to-face meeting next week.

Hallam-Baker was also senior author of the XML Key Management Specification (XKMS), and he served as editor of the Security Assertion Markup Language core schema and protocol specification. Here's what he had to say.

Phillip Hallam-Baker, principal scientist at VeriSign Inc.
Phillip Hallam-Baker, principal scientist at VeriSign Inc.

Q: Web services have been talked about for a while now, but clear and concise definitions are tough to come by. How do you define Web services?
Phase 1 of the Web was the human interacting with computer. And that's how we defined it at CERN. All the time we were thinking about human users talking to machines. We did do some work on machine-to-machine, but that was not what HTTP was optimized for.
What Web services are about is machine-to-machine communication. The base technology is XML and XML schema. If we want to narrow it to what types of Web service specifications are you going to be most interested in supporting -- obviously SOAP [Simple Object Access Protocol], WS-Security, XKMS.

Q: You said that users can build basic Web services today. When do you predict they'll be able to develop more sophisticated Web services?
I would look at it saying, first of all, don't look at Web services. Look at functionality. ... Look at the applications that meet that functionality. If there is a standard out there already and it's fine, then use it. If there isn't and you're looking to form some sort of group to build that type of functionality, then the platform to look at is Web services, because it's definitely where you'll get more programmer support, the most platform vendor support and all that great stuff.

Q: What events will need to happen for IT professionals to be able to start thinking about doing more sophisticated Web services that traverse firewalls?
Well, we've already got the programming tools. I think you're going to want to see WS-Security implemented, because at the moment, you can use SSL [Secure Sockets Layer] and it provides security. However, using SSL limits the type of Web-service-type things you can do to an incredible degree. It only supports the data when it's actually on the wire, and we know that there are going to be multiple hops in these systems. So Web services security will be a key enabler.
We really need a way of expressing what the security contexts are in terms of WSDL [Web Services Description Language]. At the moment, you write your application, and you can do this drag-and-drop stuff that Microsoft has probably been showing you. Well, you take the WSDL and you drag [it] ... and out comes all this C#, and isn't it wonderful?
And you say, "Well that's great, but the problem is that all I've got now is an interface to a DLL [Dynamic Link Library], and you're not giving me any of the security context. That's got to be in the WSDL, so that the security policy is there. ... You might have six XKMS interfaces out there, and VeriSign might be operating more than one of them, and when you're dragging and dropping that WSDL description onto your platform, you want it to be saying, "OK, here's the root key for this service. This service requires you to encrypt your requests. This service always authenticates its responses."
That's actually very important -- knowing that a service supports authentication. Because otherwise what can happen is you ask a question to the service, [and the] man in the middle takes the response back and takes all of the authentication information. It just says, "Oh, by the way, I don't do authentication." So you then say, "If you don't authenticate, I'll just do it the old way." It's called a downgrade attack, and it's a problem when you have secure systems and insecure systems cooperating together. People can always downgrade you to the insecure.

Q: Is someone working on this issue?
There are people who are looking at WSDL. Nobody's put a proposal out there in public yet. I think you will see that as soon as you've got WS-Security started.

Q: The first face-to-face meeting of the WS-Security technical committee will be held next week. What's been going on up to this point?
You heard them talking about how fast we'd get these security standards out and so on. Now we want to move away from the old model of 10-year standards. I've been participating in some IETF [Internet Engineering Task Force] groups that have been around for over 10 years and are still in process. We are not doing that.
There are people like myself who are full-time occupied on the development standards, and we push things real hard. If something isn't meeting a deadline, if people are having an argument, I will make things happen. And I not only know everybody in the room, I know all their managers.
If two people need to agree, either we will come to an agreement or we'll have a flame-out. We could throw part of the spec out. We could split the standards group. If I'm convinced that we're not going to get agreement, I'm going to say, "OK. We're splitting." And people know that that would be bad press.

Q: When will WS-Security get nailed down?
Within a two-year time span, certainly. Within a six-month time span, certainly not. Between the two, well it depends.

Q: Perhaps a year to 18 months?
There's not going to be a certain day where it's going to be before that, it didn't work; it worked afterwards.

Q: In the meantime, do you advise IT professionals to work on internal Web services projects?
Absolutely. You want to start the planning. There are people building XML Web services firewalls.

Q: Are Web services getting too complicated for the average IT shop to do?
I believe that what you will see is we will do an incredible amount of stuff with it. People will save an incredible amount of money with it. And yes, there are going to be problems that are going to turn out to need a different approach.
However, it's the 80-20 thing all along. If we can get 80% of our supply chain integration problems solved, and the 20% remaining are the even harder problems, well, we'll have another round. It's like painting the Golden Gate Bridge. As soon as they finish painting one end, they've got to start at the beginning. However, you can still use the Golden Gate Bridge, even though the paint at the other end still hasn't been done. You don't need to wait for the whole thing. And we don't need 100% solution, but we have got a very good 80% to 90% solution with Web services.

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon