You have a choice WS-Security or SSL with mutual authentication. What do you pick and why?
I am really confused now... need to do lot of homework
Anyways, these are just my thoughts
Shankar Tanikella wrote:All requests to web application requires a hand shake and it is not a good idea for bypassing the SSL by any means just for exposed services, or is it?
What is appropriate for a web app -which is accessed by humans, manually, using a browser- is not necessarily the same as what is appropriate for web services (which generally get accessed by machines programmatically). If the web service uses proper security mechanisms, I don't see that you'd be "bypassing" anything.
One should also consider that the importance of person - machine(server) and organization - machine communication, shouldn’t we
Not sure what you mean by "importance" in this context. you should evaluate what attack scenarios are likely, how bad their effect might be, determine the policies to guard against that, and then put in place mechanisms that implement these policies. Since you mention that you're prepared to learn, you might start with this book.
nevertheless, what i meant previously (my perspective) was about the public (one can say everything is public in terms of web services , its open to everyone) services and private ones.
For example, services between two banks and service between person and a bank and may be even consider services between different branches of the same bank.
Should i break the current level of security for just web services? or shouldn't I... and more questions i ask myself now . Security is always a hot topic anywhere. Anyways, I shall think over and correct myself and fill few blanks.
However, is there any good book for which you are familiar with regarding designing, tips, tricks, pit falls, how to go abouts related to web services.
And again thanks for help.
Should i break the current level of security for just web services?
No, you should not. But you should use security mechanisms that are appropriate, and SSL is not the best way to secure web services. There are better approaches that are just as secure, and provide other benefits to boot - see my first post in this thread.
Kumar Raja wrote:But we do not have intermediaries, then adding SSL would be an additional level of sercurity at transport level in addition to message level. Would any one contradict this ?
Only in the sense that encrypting data repeatedly provides more security than encrypting it once. That means you're not trusting the encryption in the first place, which can mean one of two things: you don't trust the algorithm and think it's breakable, or you don't trust one of the two parties to keep their keys or certificates secure. Either scenario means you don't have a working, secure system, and adding more layers of encryption doesn't change that. So, yes - I am contradicting that.