Monday, April 10, 2006

Amazon S3: no WS-Security, why?

Amazon has released its new S3 service (Simple Storage Service). Through a REST or SOAP API, data can be securely stored on the servers of Amazon.

This new service made me think: when will such shared storage be used to exchange business documents between business partners? Why not use this

To use this shared storage for B2B, a good security and authorization mechanism is needed. It is possible to grant rights to users with Amazon accounts, but that is not enough.

While browsing through the documentation, and the SOAP API in particular, I noticed the nice secure mechanism based on HMAC: "HMAC-SHA1 digest (http://www.ietf.org/rfc/rfc2104.txt) of the concatenation of "AmazonS3" + OPERATION + Timestamp, using your AWS Secret Access Key as the key"".

But why didn't Amazon use WS-Security and the UserName Token Profile? The Username Token Profile is such a nice spec! Why opted Amazon for this HMAC solution?

Finally: Amazon also has a Simple Queue Service, but that only supports messages upto 4K.

Saturday, January 14, 2006

SXIP - Great presentation

There is an important synergy between Integration (web services) and Security. So I also (try to) follow a bit what is going on in the world of identity mgt, security and so on (and I'm simply interested in security).

One presentation that I've been listening to and really appreciated was from Dick Hardt, CEO of SXIP. Dick explains how in an Identity 2.0 world (and Web 2.0 ?), the user will become central in future generations of identity management solutions.

But what strikes more is the way in which he uses PowerPoint to explain and entertain. Very, very well done!