Web service technologies have recently attracted an explosive interest and are sometimes said to be revolutionizing the Internet. A web service is basically a network accessible interface to application functionality implemented through standard Internet technologies. By means of web services, one piece of software can access objects and methods from another piece of software irrespective of long distances and intermediate firewalls, enabling distributed software systems.
Most web services are packaged in a format based on the Extensible Markup Language (XML) and therefore sometimes referred to as XML web services. A very common protocol for implementing web services is the Simple Object Access Protocol (SOAP), which is built on XML and typically carried by the Hypertext Transfer Protocol (HTTP).
It is plain to see that web services hold the potential to increase the availability of data and services on the Internet, which is not only very advantageous for application developers and data service providers but would eventually also imply that better application services are offered to end users. However, using HTTP, XML and SOAP allows anyone to access a service that has been published as a web service. This might be fine for some content providers like search engines for instance, but typically a straight “line” to the actual data source is not desirable. In particular, person-related data, such as the content of a positioning system, a customer database or a mobile commerce platform, must not be handed out without proper checks.
There are many shortcomings of conventional XML web services, in particular related to security, privacy and transaction processing. (See e.g. [1] for a more elaborate discussion on the shortcomings of web services.) Control of who is allowed to use a particular service, in what way the service may be used, etc, are some of the issues that need to be taken care of for web services to become widely spread in the future.
To be able to exploit the advantages of web services without compromising the end user integrity would thus be very desirable. This object is addressed in several prior-art solutions, such as standard encryption tools, Private Key Infrastructure (PKI) with signatures and certificates, etc. These conventional techniques all focus on a situation where the interacting parties know each other, which in particular for a (mobile) Internet approach is less suitable. The rapidly growing market for web services requires support of “mass partnering”, which implies that new approaches are needed.
Another drawback of conventional web service solutions is that while addressing one or a few aspects of web service security, e.g. encryption or signing, they fail to offer a comprehensive approach considering aspects like dynamic routing, exchanging digital user identities or enforcing privacy policies. Yet another problem associated with security solutions for web services is that they typically require special adaptations at both ends and therefore are rather complicated to implement. Moreover, security measures in the prior art are comparatively cumbersome and time demanding.
Accordingly, the security mechanisms of conventional telecommunication systems are far from satisfactory and there is a considerable need for an improved procedure for handling personal data on the Internet.