Digital Signature Web Service Interface



Similar documents
This Working Paper provides an introduction to the web services security standards.

WEB SERVICES SECURITY

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

T Network Application Frameworks and XML Web Services and WSDL Tancred Lindholm

Representation of E-documents in AIDA Project

Web Services Description Language (WSDL) Wanasanan Thongsongkrit

How to consume a Domino Web Services from Visual Studio under Security

Java Security Web Services Security (Overview) Lecture 9

The presentation explains how to create and access the web services using the user interface. WebServices.ppt. Page 1 of 14

OpenHRE Security Architecture. (DRAFT v0.5)

Web Services Security SOAP Messages with Attachments (SwA) Profile 1.1

e-filing Secure Web Service User Manual

Introduction to Service Oriented Architectures (SOA)

Run-time Service Oriented Architecture (SOA) V 0.1

[MS-BDSRR]: Business Document Scanning: Scan Repository Capabilities and Status Retrieval Protocol

NIST s Guide to Secure Web Services

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Web Services Trust and XML Security Standards

Bindings for the Service Provisioning Markup Language (SPML) Version 1.0

Secure Authentication and Session. State Management for Web Services

Feide Integration Guide. Technical Requisites

XML Signatures in an Enterprise Service Bus Environment

A Service Oriented Security Reference Architecture

[MS-SAMLPR]: Security Assertion Markup Language (SAML) Proxy Request Signing Protocol

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

Authentication Context Classes for Levels of Assurance for the Swedish eid Framework

Securing Web Services With SAML

Server based signature service. Overview

A Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED

Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)

Secure Semantic Web Service Using SAML

Authentication and Authorization Systems in Cloud Environments

Research on the Model of Enterprise Application Integration with Web Services

Web Services Implementation Methodology for SOA Application

Network Security. Chapter 10. Application Layer Security: Web Services. Part I: Introduction to Web Services

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

Strategic Information Security. Attacking and Defending Web Services

Iowa Immunization Registry Information System (IRIS) Web Services Data Exchange Setup. Version 1.1 Last Updated: April 14, 2014

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Digital Signing without the Headaches

Common definitions and specifications for OMA REST interfaces

Web Services Implementation: The Beta Phase of EPA Network Nodes

Web Service Security Vulnerabilities and Threats in the Context of WS-Security

Security Assertion Markup Language (SAML)

CHAPTER - 3 WEB APPLICATION AND SECURITY

Single Sign-On Implementation Guide

[MS-SPEMAWS]: SharePoint Web Service Protocol. Intellectual Property Rights Notice for Open Specifications Documentation

Developer Guide to Authentication and Authorisation Web Services Secure and Public

Service Oriented Architecture

Service Virtualization: Managing Change in a Service-Oriented Architecture

Oracle Service Bus. User Guide 10g Release 3 Maintenance Pack 1 (10.3.1) June 2009

Web Services Distributed Management: Management of Web Services (WSDM-MOWS) 1.1

[MS-DVRD]: Device Registration Discovery Protocol. Intellectual Property Rights Notice for Open Specifications Documentation

Web Services Manageability Concepts (WS-Manageability)

Integrating CRM On Demand with the E-Business Suite to Supercharge your Sales Team

WEB SERVICES TEST AUTOMATION

Creating Web Services in NetBeans

[MS-MDM]: Mobile Device Management Protocol. Intellectual Property Rights Notice for Open Specifications Documentation

Lesson 4 Web Service Interface Definition (Part I)

Using mobile phones to access Web Services in a secure way. Dan Marinescu

HTTP and HTTPS Statistics Services

4. Concepts and Technologies for B2C, B2E, and B2B Transaction

SAML V2.0 Asynchronous Single Logout Profile Extension Version 1.0

Web Services. Seminar on Semantic Web & Web Services. - W3C Finland - 6th May Suresh Chande,

SAML-Based SSO Solution

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

Consuming and Producing Web Services with Web Tools. Christopher M. Judd. President/Consultant Judd Solutions, LLC

Web Services Technologies: State of the Art

Oracle Application Server 10g Web Services Frequently Asked Questions Oct, 2006

Identity in the Cloud Use Cases Version 1.0

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents

Gigaset IP and IP-PRO Phones Provisioning / Remote Management. last modifications by J. Stahl, Bocholt, January the 18 th 2011

The Vetuma Service of the Finnish Public Administration SAML interface specification Version: 3.5

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

SAML 2.0 INT SSO Deployment Profile

Oracle WebLogic Server

OASIS Standard Digital Signature Services (DSS) Assures Authenticity of Data for Web Services

David Pilling Director of Applications and Development

Web Services Technologies

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

AquaLogic Service Bus

Transcription:

1 2 Digital Signature Web Service Interface 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 1 Introduction This document describes an RPC interface for a centralized digital signature web service that enforces policy controls on who can request signatures for specific transactions. The signature is calculated using a private key owned by the web service for the purpose of producing an organization signature. Thus, anyone within the organization authorized to obtain an organization signature can obtain it simply by request to the web service. 1.1 Motivation A digital signature provides: Authentication: A digital signature is unique to the private key used in its creation, and as a result it provides strong authentication of an individual when that individual signs a contract or e- business transaction. Support for Non-repudiation: Once a contract or transaction has been digitally signed, the signer cannot disclaim or "repudiate" the signature after the fact. This means, for example, that both parties to an online purchase are bound to the terms of the deal - and thus that both parties to the transaction are protected from online fraud. Data integrity: Included in a digital signature is protection of the signed data against any accidental or intentional tampering of the data. For example, the value of an online transaction cannot be compromised without detection, once it has been digitally signed. Most current implementations of digital signatures bind the public key with a specific individual that is responsible for the content of any data signed with the corresponding private key. However, there is a need, especially in the web services paradigm, for signatures that represent "organizations" (not individuals within organizations) and this need is becoming more apparent over time. Distributing the "organization" private key among all end users authorized to use it creates a number of security concerns. It makes sense then to provide a centralized service which applies all "organization" signatures using a private key unique to the organization. Thus, this document describes an RPC interface for a centralized digital signature web service that enforces policy controls on who can request signatures for specific transactions.

33 34 35 2 Terminology The key words must, must not, required, shall, shall not, should, should not, recommended, may, and optional in this document are to be interpreted as described in [RFC2119]. 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 3 General Interface Design Issues The major design goals of this specification are simplicity, extensibility and efficiency. 3.1 Related Standards This specification seeks to leverage both existing and emerging web service standards whenever possible. The following are particularly noted as relevant standardization efforts. 3.1.1 Existing Standards WSDL Defines how abstract interfaces and their concrete realizations are defined. SOAP Defines how to invoke remote interfaces. UDDI Defines how web services are published, queried and found using standardized directories. SSL/TLS Defines secure transport mechanisms. URL Defines URI (includes URL) syntax and encoding Character set encoding XML Digital Signatures Defines how portions of an XML document are digitally signed. SAML Defines how authentication and authorization information may be exchanged. P3P Defines how a Producer/entity may publish its privacy policy so that a Consumer could enforce End-User privacy preferences. 3.1.2 Emerging Standards XML Encryption Defines how to encrypt/decrypt portions of an XML document. WS-Security Defines how document level security standards apply to SOAP messages. XACML Defines a syntax for expressing authorization rules. 57 58 59 4 Digital Signature Interfaces Digital signature interfaces define all operations by the Digital Signature Server that produce a digital signature upon request by a Digital Signature Client. 2

60 61 62 63 64 65 66 4.1 envelopingsignxmldata The envelopingsignxmldata() operation returns an enveloping XML Digital Signature on the provided XML markup data. envelopingsignxmldataresponse = envelopingsignxmldata(tobesignedxmldata); tobesignedxmldata is the XML markup data to be signed. It is of type string. 67 68 69 envelopingsignxmldataresponse is the XML markup of the enveloping signature on tobesignedxmldata computed by the Digital Signature Server. It is of type string. 70 71 72 73 74 75 76 77 78 4.2 envelopingsign The envelopingsign() operation returns an enveloping XML Digital Signature on the data pointed to by the given URI. envelopingsignresponse = envelopingsign(tobesigneduri); tobesigneduri is the URI pointing to the data to be signed. It is of type string. 79 80 81 envelopingsignresponse is the XML markup of the enveloping signature on the data pointed to by tobesigneduri computed by the Digital Signature Server. It is of type string. 82 83 84 85 86 87 88 89 90 4.3 detachedsign The detachedsign() operation returns a detached XML Digital Signature on the data pointed to by the given URI. detachedsignresponse = detachedsign(tobesigneduri); tobesigneduri is the URI pointing to the data to be signed. It is of type string. 91 92 93 detachedsignresponse is the XML markup of the detached signature on the data pointed to by tobesigneduri computed by the Digital Signature Server. It is of type string. 94 3

95 96 97 98 99 100 101 102 103 104 4.4 envelopedsign The envelopedsign() operation returns an enveloped XML Digital Signature on the data pointed to by the given URI. envelopedsignresponse = envelopedsign(tobesigneduri, signatureposition); tobesigneduri is the URI pointing to the data to be signed. It is of type string. The data being pointed to MUST be XML markup. 105 106 107 108 signatureposition is the name of an XML element in the resource to be signed to be used as the insertion point for the signature by the Digital Signature Server. If null, the signature is inserted as the first child element under document root. It is of type string. 109 110 111 envelopedsignresponse is the XML markup of the enveloped signature on the data pointed to by tobesigneduri computed by the Digital Signature Server. It is of type string. 112 113 114 115 116 117 118 119 120 121 4.5 envelopedsignxmldata The envelopedsignxmldata() operation returns an enveloped XML Digital Signature on the XML markup data in the request. envelopedsignxmldataresponse = envelopedsignxmldata(tobesignedxmldata, signatureposition); tobesignedxmldata is the XML markup data to be signed. It is of type string. 122 123 124 125 signatureposition is the name of an XML element in the resource to be signed to be used as the insertion point for the signature by the Digital Signature Server. If null, the signature is inserted as the first child element under document root. It is of type string. 126 127 128 envelopedsignxmldataresponse is the XML markup of the enveloped signature on the data pointed to by tobesigneduri computed by the Digital Signature Server. It is of type string. 129 130 131 4

132 133 134 135 5 Security Digital Signature Servers will be exposed to many of the same security issues as other web service systems. For a representative summary of security concerns, refer to the Security and Privacy Considerations document produced by the XML-Based Security Services Oasis TC. 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 The Digital Signature Web Server MUST only produce a signature upon request from an authorized digital signature requester. Thus, the requester MUST be authenticated and policy controls determining who is authorized MUST be enforced. 5.1 Authentication of Consumer Digital Signature Server authentication of a requester may be achieved at the transport level through the use of client certificates in conjunction with SSL/TLS. 5.2 Authentication of Digital Signature Server Since the requester will likely be sending sensitive data to the Digital Signature Server to be signed, the Server should be authenticated before the data is sent. Authentication of the server may be achieved at the transport level through the use of server certificates in conjunction with SSL/TLS. 5.3 Confidentiality & Message Integrity SSL/TLS may be used to ensure the contents of messages are neither tampered with nor decipherable by an unauthorized third party. 151 152 153 154 155 156 For Digital Signature Server - requester communications, the use of SSL/TLS is provided by the Server s WSDL declaring an https: entrypoint. 5.4 Access control A Digital Signature Server MUST implement access control mechanisms that restrict which end entities are authorized to request digital signatures on documents. 157 158 159 160 161 162 163 164 165 166 167 168 6 WSDL Interface Definition <?xml version="1.0" encoding="utf-8"?> <definitions xmlns:s="http://www.w3.org/2001/xmlschema" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="urn:digsig" targetnamespace="urn:digsig" xmlns="http://schemas.xmlsoap.org/wsdl/"> <message name="envelopingsignxmldata"> <part name="tobesignedxmldata" 5

169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 <message name="envelopingsignxmldataresponse"> <message name="envelopingsign"> <part name="tobesigneduri" <message name="envelopingsignresponse"> <message name="detachedsign"> <part name="tobesigneduri" <message name="detachedsignresponse"> <message name="envelopedsign"> <part name="tobesigneduri" <part name="signatureposition" <message name="envelopedsignresponse"> <message name="envelopedsignxmldata"> <part name="tobesignedxmldata" <part name="signatureposition" <message name="envelopedsignxmldataresponse"> 6

232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 <porttype name="digsigporttype"> <operation name="envelopingsignxmldata"> <input message="tns:envelopingsignxmldata" <output message="tns:envelopingsignxmldataresponse" <operation name="envelopingsign"> <input message="tns:envelopingsign" <output message="tns:envelopingsignresponse" <operation name="detachedsign"> <input message="tns:detachedsign" <output message="tns:detachedsignresponse" <operation name="envelopedsign"> <input message="tns:envelopedsign" <output message="tns:envelopedsignresponse" <operation name="envelopedsignxmldata"> <input message="tns:envelopedsignxmldata" <output message="tns:envelopedsignxmldataresponse" </porttype> <binding name="digsigsoapbinding" type="tns:digsigporttype"> <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http" <operation name="envelopedsignxmldata"> <soap:operation soapaction="" <operation name="envelopingsignxmldata"> <soap:operation soapaction="" <operation name="envelopingsign"> 7

295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 <soap:operation soapaction="" <operation name="detachedsign"> <soap:operation soapaction="" <operation name="envelopedsign"> <soap:operation soapaction="" </binding> <service name="digsig"> <documentation>todo: add your documentation here</documentation> <port name="digsigport" binding="tns:digsigsoapbinding"> <soap:address location="http://my.org/digsigserver" </port> </service> </definitions> 345 346 347 348 349 7 References 7.1 Normative [RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, http://www.ietf.org/rfc/rfc2119.txt, IETF RFC 2119, March 1997. PARTICULAR PURPOSE. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information