Freeze the Core

January 12, 2005

Rich Salz

I've recently spent a bit more time than usual talking to analysts and reporters. Almost all of these discussions end up circling around this question: what standards do we need for secure web services, and are they ready? The answer is yes, they basically are, and we'll review them below. But more importantly, I'll show that, for the most part, the web services community should stop working on new versions of fundamental standards.


Obviously, the most basic standard is XML itself. First published in 1998, it has been revised twice, to mainly clear up errors and ambiguities in the prose. So we now have XML 1.0 (Third Edition), but we also have XML 1.1. Interestingly, both were published this February.

So, what are the differences, and do they matter to web services? The differences are actually pretty minor. It turns out, however, that they end up being incredibly important, such that web services should ignore XML 1.1 for the foreseeable future. Let's look at why.

XML 1.1 adds some new characters to the list of what can be in a name. It also requires that some characters that were legal within content--the control characters between 0x7F and 0x9F--now have to be escaped. One the surface, these seem like minor changes. But when you add in the required XML processing model--any error detected by the parser must be a fatal error--we find the following:

For an admittedly narrow range, XML 1.0 and XML 1.1 are incompatible.

Dave Orchard, a W3C TAG member, has written more about this, referred to other links, and in general given a great deal of thought about "versioning" in the XML world. See the December 16 and December 12 entries of his blog at for more than you probably care to know.

Since web services involves inter-machine communication, I think it's risky to just glide over this difference. While humans might be unlikely to type 0x80 into a textbox, it's not unreasonable to think machine-generated data--particularly something transcoded from a legacy system--might. As if that weren't enough, XML Schema needs to be modified to support XML 1.1. I've mercifully forgotten the details, but the two character changes interact to make the QName data type a bit more complicated. As a result, since the Schema is a normative (i.e., "official") part of the SOAP 1.2 specification, SOAP 1.2 is officially tied to XML 1.0. Given these three factors, it seems prudent for the web services community to ignore XML 1.1 for now.


Let's look at SOAP. I've written before comparing SOAP 1.1 and 1.2. The major difference is really error handling; faults look a little different and come back as standard HTTP responses, not errors. Other than that, there's not a lot of practical difference, which means, for example, that we can use SOAP 1.1 with the SOAP 1.2 processing rules.

In the past few months, a second major difference has come up: attachments. In SOAP 1.1, a message with attachments is a multi-part MIME message, and the SOAP message is the first part. Elements that refer to the attachment content explicitly refer to it, and it is up to the application to fetch the data. In SOAP 1.2 for the HTTP binding, it's also a multi-part MIME message. The only real difference is that if the same part is referenced multiple times, then a SOAP representation header can be required. For internal processing, the attachment data is actually hoisted into the message Infoset (i.e., the DOM for all practical purposes).

We might now have to decided between SOAP 1.1 and SOAP 1.2. The difference in network representations is fairly small, so where can we look for guidance? It turns out there are two places.

The first is the installed base. While SOAP 1.2 products are available, it's clear that the deployed base is overwhelmingly SOAP 1.1. The second place is in security. As we might expect, when both security and standards organizations are involved, the path gets a little complicated.

Message Security

The OASIS Web Services Security Working Group, WSS, has defined a SOAP header that specifies how to use XML digital signatures and encryption to protect SOAP messages from being modified or viewed by the wrong parties. The standard was approved and published in March. WSS also defined a framework for carrying cryptographic keys and identity information (such as a SAML assertion, X509 Certificate, etc.). The framework nature it inherited from the lower-level signature specification also meant the users could define choose from a suite of existing crypto algorithms or even define their own.

In order to make secure SOAP messages interoperable, it was necessary to profile the WSS specification, narrowing down the list of choices. The WS-I created a Basic Security Profile (BSP) working group to do this. The group completed its work a few months ago and presented it to the WS-I Board. Surprisingly, the WS-I board rejected it, sending it back to the group with the instructions that attachments must be part of the profile. In particular, SOAP with Attachments, since the SOAP 1.2 approach was too early.

Since WS-I doesn't create standards but profiles existing ones, this meant that the BSP had to go to WSS and ask them to take on attachments as part of their work. They've done this, and the resultant attachments profile should soon be approved as an official standard. Once this is done, the WS-I folks will be able to update their expanded profile and get it approved this time.

The implication for all this on the web services community is pretty important:

If you want secure SOAP messages with attachments, use SOAP 1.1; if you want secure SOAP messages use SOAP 1.1 or 1.2
Unless the application wants to maintain two SOAP stacks, or is sure that it will never need to talk to a SOAP 1.1 application, then it can use SOAP 1.2. I think neither of these requirements is reasonable, and that therefore, we should all be using SOAP 1.1 until the 1.2 attachments issue is fixed.

By the way, it turns out that securing 1.2 attachments might be difficult. In SOAP 1.2, attachments are hoisted into and out of the Infoset, and there is enough variation (such as whether or not a representation header is used) that two applications could serialize the same message in two different ways. That is, of course, anathema to digital signatures, which requires that there be a canonical form.

Another approach would be to revise the XML Digital Signature standard to be based on the Infoset. Don't hold your breath; security folks aren't common in the XML world, and most of them have moved on to other things. Further, the standard is decidedly, and very subtly, based on the XPath 1.0 data model. Changing the model without losing backward compatibility will be difficult. If only because of the sparse deployment, backward compatibility is very important to security folks.

Wrapping Up

It's possible to look at these issues and come to the depressing conclusion that the web services community is stuck in the past. I claim that's looking at things the wrong way. We now have a solid core of technologies:

  • XML 1.0
  • SOAP 1.1
  • WSDL 1.0 and Schema
  • WSS, Signature, Encryption
Now, for the first time ever, we can take any two computers capable of joining the internet, and securely exchange messages between them, and be confident that the data will make it from one application level to another, usually without any large installations of custom software on either machine.

That's a pretty impressive achievement and reason enough for a year-end celebration. Now, if we can only get those folks working on "improvements" to the core to stop what they're doing and join the party, it'll be a truly great new year.