My Blog

Web Services and Identity


Web services are how distributed computing is done in the 21st century. Web services use XML and the World Wide Web as enabling technologies to make application interactions more flexible and composable in response to changing needs. Especially in light of Web 2.0 and cloud computing trends, web services offer exciting new possibilities in networked computer communications, both within an enterprise’s boundaries and across the broader Internet.

Digital identity information is a key ingredient for customizing the operation of web services and applications, as well as authenticating and authorizing users. Particularly now that individuals’ digital identity is being “distributed” much the way applications are being distributed, businesses, governments, and other organizations have a special challenge in treating it – and our wishes about it – with respect.

This course will use a real-world focus in discussing the features and benefits of web services and digital identity; reviewing relevant concepts, technologies, and standards; and examining security and privacy challenges.

Classes for 2010

SOA, REST and The Web: Compare and Contrast!

Taught by Paul Downey

Service Oriented Architecture, and Representational State Transfer both offer principles for building Web services. How do these architectural styles differ, are they complementary or do they conflict? Is it possible to build a “resource-centric” SOA, or REST with messaging systems?

Meanwhile we have The Web: a practical living ecosystem where conventions, agreements and lightweight standards quickly evolve, some through “traditional” standardization processes such as HTML5 and WS-* at the W3C and OASIS, others through lightweight Open Standards initiatives such as Microformats, OpenID, OAuth, OEmbed, XMPP and other “open” initiatives from vendors, such as Open Social, YQL and Google Buzz. How many of these activities are informed by SOA and REST architectural principles, and is it indeed even possible to build architecturally pure services which work within the constraints of the modern Web?

Elements of Web Service Design

Taught by Dr. Marc Hadley

This session will present a case study of exposing an existing API as parallel RESTful and SOAP-based Web Services. The session will review basic Web services technologies and describe the advantages and disadvantages of each approach highlighting impedance mismatches between native programming language APIs and Web services.

Lunch break, day one


XML Process Pipelining

Taught by Norman Walsh

We employ a broad range of XML technologies to build our applications and to join different applications together. Important aspects of a system can often be described as the application of some sequence of XML transformations.

Until recently, there was no standard way to describe the order and sequence of these technologies. Performing, for example, XInclude, followed by validation, followed by two transformations, and then validating the result required ad hoc “glue code” written in any number of ways.

With the recent publication of XProc: An XML Pipeline Language, it’s now possible to describe these, and many other, processes in a standard way.

This session will review the scope and purpose of XProc and provide examples of where it can shorten and simplify everyday tasks.

XML and Web Security

Taught by Thomas Roessler.

This session will give the students a foundation in understanding security principles as applied to the Web, threats peculiar to Web and XML technologies, and the technologies typically applied to secure web applications and services to answer those threats (including but not limited to XML Signature and Encryption).

End of day, day one


Federated Identity Concepts and Technologies

Taught by Dr. Hubert le van Gong

This session will survey business goals for digital identity management in the enterprise and consumer spheres, and will review key web-based technologies and protocols for federated identity and access management. We will pay special attention to the challenges of meeting privacy goals.

Privacy and Assurance in Internet Identity

Taught by Robin Wilton

In this session, Robin will look at the links between identity and privacy from the technical and non-technical perspectives. The material will complement Eve Maler’s lecture on the practicalities of meeting privacy goals in federated identity systems.

There are no pointy brackets in this session… but don’t imagine that that means an easy ride for the technologists: there are still plenty of hard technical problems in the domain of online identity and privacy, and the talk will set out a few of them (as an exercise for the student, of course…). And if you have cracked the technology problem, there is still the question of how to put it into practice. Robin will examine some of the factors behind the apparent failure of “Privacy Enhancing Technologies” (PETs) to make it from technical viability into mass adoption, and consider the ‘ecosystem’ of mostly non-technical factors within which your technical solutions will need to thrive.

The goal is for you to come away not just with an understanding of the landscape ahead, but also with some tools and simple models to help you navigate it successfully with your fellow stakeholders.

Lunch break, day two



The course will conclude with a workshop on the last afternoon.