I've been getting into application security lately, and it's really a fascinating subject.
We've been having some issues with COM+ delegation recently and I had very little experience with some of the lower-level technical things going on. This usually inspires me to learn them, and in this case it inspired me to borrow a copy of Programming Windows Security by Keith Brown.
I read the introduction - the basic security players - and then jumped right to the chapter on Network Authentication. Keith says "having a good conceptual grasp of network authentication can help instill a better intuition for developing and debugging secure distributed systems" - and I couldn't agree more. I had previously done some work on my own building authorization schemes for my different domains, and in general I think I was on the right track, but an understanding of the underlying issues of distributed security is just so important. Granted, the security requirements for these systems I've built in the past were rather lax - there wasn't much "special" they could do even if access WAS compromised - but I've already found countless ways to build on them just from this chapter.
From what I've read thus far, Keith's book is excellent. I've just placed my order, and I plan on reading the rest of it when I get my own copy.
I also saw the Wahoo! Web Security issues that Chris Sells was dealing with, which got me to thinking about web service security. I've yet to find the time to read up on the WS-Security and other initiatives going on, but I plan on it soon.
I wonder if some of the concepts in Kerberos v5 might apply to securing web services. I guess the real problem is finding a trusted authority that can act as the ticket-granting service. But in the case of Wahoo!, if you could apply the three-way handshake approach to get a ticket, you could - at least in theory - determine that a valid client is the one sending the message. The difference is that your principal is not a user, but instead an application.
There's one problem with that though. In part, it seems Kerberos works because we assume that the local machine is part of the trusted computer base. Of course, the user's password is never actually transmitted over the wire - just the message encrypted with the password hash. This presumes that the client machine has some knowledge of this password. In an distributed application like Wahoo!, the client machine is most likely not going to be trusted - and by nature, having that password on that machine in memory or disk means it's pretty much compromised.
So how do you expose these features to any remove location but ensure that the message is actually from a client application? Does WS-Security etc address anything like this?
I've had a few thoughts, which I plan on posting soon, I just don't have the time now. But I'd love to hear others thoughts on this!