PublicKeyInfrastructure (PKI) is a security mechanism often used in
WebServices Implementations. Its use is also common in the setup of
SecureSocketsLayer implementations (Layer 7 of
OpenSystemsInterconnect model)
SSL was designed for synchronous transactions and everything is encrypted. These characteristics made its use inappropriate for
WebServices.
With adoption of
OasisOrganization WebServicesSecurity (WSS) specification, PKI implementation become common amongst vendor products. This is because use of PKI mechanisms enabled easier "roll-your-own" SSL like mechanisms (with fine grained encryption and authentication) that conform with WSS and upcoming WS-
SecureConversation, WS-Trust.
There exists a risk that has to be managed, due to vagueness in the application of the standards concerned.
Reading Material
- Ten things I wish they warned me about PKI
- Introduction to W2K PKI
CategorySecurity