Enterprise Web Services Security

Introduction

[Newton] The Columbia World of Quotations, Columbia University Press, 1996. Available online at http://www.bartleby.com/66/18/41418.html.

Chapter 1

[CMS05] Centers for Medicare and Medicaid Services, "Health Insurance Portability and Accountability Act of 1996." Available online at http://www.cms.hhs.gov/hipaa/.

[Daurat05] Daurat, Cecile, "Time Warner Reports Loss of Personal Data on 600,000 Employees", Washington Post Online, May 3, 2005. Available online at http://www.washingtonpost.com/wp-dyn/content/article/2005/05/02/AR2005050201528.html.

[DOJ04] U.S. Department of Justice, "The Privacy Act of 1974." Available online at http://www.usdoj.gov/foia/privstat.htm.

[DOJ04a] U.S. Department of Justice, "Overview of the Privacy Act of 1974, 2004 Edition." Available online at http://www.usdoj.gov/04foia/1974compmatch.htm.

[DOJ04b] U.S. Department of Justice, "Freedom of Information Act (FOIA)." Available online at http://www.usdoj.gov/04foia/index.html.

[ED05] U.S. Department of Education, "Family Educational Rights and Privacy Act (FERPA)." Available online at http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

[FTC02] Federal Trade Commission, "The Fair Credit Reporting Act." Available online at https://www.ftc.gov/enforcement/statutes/fair-credit-reporting-act. *** updated from the publication *** NOTE NOTE NOTE: The FTC keeps moving this page. Find it with a web search. DO NOT report this as a "dead link".

[FTC04] Federal Trade Commission, "Federal Trade Commission Facts for Businesses and Consumers." Available online at http://www.ftc.gov/ftc/business.htm. and http://www.ftc.gov/ftc/consumer.htm.

[FTC99] Federal Trade Commission, "Federal Trade Commission Facts for Businesses, The Children.s Online Privacy Protection Rule." Available online at http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm, November 1999.

[FTC99a] Federal Trade Commission, "Financial Privacy: The Gramm-Leach-Bliley Act." Available online at http://www.ftc.gov/privacy/glbact/.

[Gilder93] Gilder, George, Metcalf.s Law and Legacy, Forbes ASAP, September 13, 1993. Available online at http://www.seas.upenn.edu/~gaj1/metgg.html.

[Kismet05] Kismet Forum, "What is Kismet?" Available online at http://www.kismetwireless.net/.

[NW02] Network World, "What.s Wrong With WEP." Available online at http://www.networkworld.com/research/2002/0909wepprimer.html. September 9, 2002.

[OMA02] Open Mobile Alliance, "WAP Forum Specifications." Available online at http://www.wapforum.org/what/technical.htm.

[OMG05] Object Management Group, "CORBA FAQ." Available online at http://www.omg.org/gettingstarted/corbafaq.htm .

[RFC2396] Berners-Lee, T., et al.,"Uniform Resource Identifiers (URI): Generic Syntax." Available online at http://www.ietf.org/rfc/rfc2396.txt, August 1998.

[Roadmap02] IBM Corporation and Microsoft Corporation, "Security in a Web Services World: A Proposed Architecture and Roadmap, A Joint White Paper from IBM Corporation and Microsoft Corporation", Version 1.0. Available online at http://www-106.ibm.com/developerworks/webservices/library/ws-secmap, April 7, 2002.

[SEC05] U.S. Securities and Exchange Commission, "Spotlight on Sarbanes-Oxley Rulemaking and Reports." Available online at http://www.sec.gov/spotlight/sarbanes-oxley.htm.

[SOAdef04] "Service Oriented Architecture (SOA) Definition." Available online at http://www.service-architecture.com/web-services/articles/service-oriented_architecture_soa_definition.html.

[SOAP002] Mitra, Nilo, "SOAP Version 1.2 Part 0: Primer." Available online at http://www.w3.org/tr/SOAP12-part0, June 26, 2002.

[Tapscott00] Tapscott, Don, et al., Digital Capital: Harnessing the Power of Business Webs, Harvard Business School Press, 2000.

[W3Cdef04] Austin, Daniel, et al., "Web Services Architecture Requirements W3C Working Group Note 11 February 2004." Available online at http://www.w3.org/TR/2004/NOTE-wsa-reqs-20040211.

[WAPFAQ04] The Wireless FAQ, "How Secure is WAP with SSL and WTLS?" Available online at http://www.thewirelessfaq.com/9.4.asp.

[WiFi04] Wi-Fi Alliance, "Wi-Fi Overview." Available online at http://www.wi-fi.com/OpenSection/why_Wi-Fi.asp?TID=2.

[WSIScenarios04] Schwarz, Jerry, et al., "WS-I Security Scenarios, Working Group Draft, 2004/04/16." Available online at: http://www.ws-i.org/Profiles/BasicSecurity/SecurityScenarios-1.0.pdf.

[XML00] Internet Engineering Task Force, "Extensible Markup Language (XML) 1.0 (Second Edition)." Available online at http://www.w3.org/tr/rec-xml, October 6, 2000.

Chapter 2

[Achohido04] Achohido, B. and J. Swartz, "Going price for network of zombie PCs: $2000-$3000." USA Today, December 5, 2004.

[CNET97] C|Net Tech News, "Social Security Site Closed." Available online at http://news.com.com/2100-1017-278711.html?legacy=cnet.

[Edelman04] Edelman, B., "Gator.s EULA Gone Bad." Available online at http://www.benedelman.org/news/112904-1.html.

[Enouf05] Enouf, Thad, "Lexis Nexis Adds to Number of People Affected by Hacking Breach." Dirty Tricks, April 12, 2005. Available online at http://dirtytrix.blogspot.com/2005/04/lexis-nexus-adds-to-number-of-people.html

[EPIC97] The Electronic Privacy Information Center, "The Social Security Agency and Online Privacy." Available online at http://www.epic.org/privacy/databases/ssa/.

[Garfinkel00] Garfinkel, Simson, Database Nation: The Death of Privacy in the 21^st Century. O.Reilly and Associates, 2000.

[MLabs04] Message Labs, "Monthly Report: October 2004: The Rise of the Zombie Botnets." Available online at http://www.messagelabs.com/emailthreats/intelligence/reports/monthlies/October04/.

[Moore65] Moore, Gordon, "Cramming More Components Onto Integrated Circuits." Electronics, April 19, 1965. Available online at http://www.intel.com/research/silicon/mooreslaw.htm.

Chapter 3

[CAIDA03] Moore, D., V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "The Spread of the Sapphire/Slammer Worm." Available online at http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html.

[Collins97] Collins, R., "The Intel Pentium F00F Bug Description and Workarounds." Available online at http://www.x86.org/errata/dec97/f00fbug.htm.

[Griffiths02] Griffiths, Richard T., "History of the Internet, Internet for Historians (and just about everyone else)." Available online at http://www.let.leidenuniv.nl/history/ivh/frame_theorie.html.

[MSGloss05] Microsoft Corporation, "Glossary of Windows 2000 Services." Available online at http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp#p.

[NIAP04] National Information Assurance Partnership, CCEVS Website, Available online at http://niap.nist.gov/cc-scheme/index.html.

[NSTISSC02] National Security Telecommunications and Information Security Committee, "National Training Standard for Information Systems Security (Infosec) Professionals." Available online at http://security.isu.edu/pdf/4011.pdf, June 20, 1994.

[RFC2617] Franks, J., et al., "HTTP Authentication: Basic and Digest Access Authentication." Available online from http://www.ietf.org/rfc/rfc2617.txt, June 1999.

[Vincent05] Vincent, Thomas, "OSXFAQ . Mac OS X Security." Available online at http://www.osxfaq.com/Editorial/security/index2.ws.

[Winkler97] Winkler, Ira, Corporate Espionage. Prima Publishing, 1997, p. 13.

[WSSecurity04] Nadalin, Anthony, et al, "Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)." Available online at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf, March 15, 2004.

[ZDNet04] ZD Net, "Study: Unpatched PCs compromised in 20 minutes." Available online at http://news.zdnet.com/2100-1009_22-5313402.html.

Chapter 4

[Achohido04a] Achohido, B., "Sasser Inspires Raiders to Jump In." USA Today, June 10 2004, p. B.03.

[CERT03] CERT Coordination Center, "CERT Advisory CA-2003-20 W32/Blaster worm." Available online at http://www.cert.org/advisories/CA-2003-20.html.

[News00] C|Net News.com, "Company says extortion try exposes thousands of card numbers." Available online at http://news.com.com/2100-1017-249772.html.

[RFC791] Internet Protocol, DARPA Internet Program, Protocol Specification. Available online at http://www.faqs.org/rfcs/rfc791.html, September 1981.

[RFC793] RFC 793, Transmission Control Protocol, DARPA Internet Program, Protocol Specification. Available online at http://www.faqs.org/rfcs/rfc793.html, September 1981.

[RFC2616] Fielding, R. et al., "Hypertext Transfer Protocol . HTTP/1.1." Available online at http://www.w3.org/Protocols/rfc2616/rfc2616.html.

[Securiteam01] Beyond Security, "Attackers Managed to Obtain Microsoft Digital Signing Keys." Available online at http://www.securiteam.com/windowsntfocus/5VP0P0K3PY.html.

[Venners05] Venners, Bill, "Why Security." Available online at http://www.artima.com/insidejvm/ed2/securityP.html, April 6, 2005.

[ZDNet04] ZD Net, "Study: Unpatched PCs Compromised in 20 Minutes." Available online at http://news.zdnet.com/2100-1009_22-5313402.html.

Chapter 5

[CSS298] Bos, Bert, et al., "Cascading Style Sheet, Level 2: CSS2 Specification." Available online at http://www.w3.org/tr/rec-css2, May 12, 1998.

[DOM198] Apparo, Vidur, et al., "Document Object Model (DOM) Level 1 Specification Version 1.0." Available online at http://www.w3.org/tr/REC-DOM-Level-1, October 1, 1998.

[DOM200] Le Hors, Arnaud, et al., "Document Object Model (DOM) Level 2 Core Specification Version 1.0." Available online at http://www.w3.org/tr/DOM-Level-2-Core, November 13, 2000.

[DOM302] Le Hors, Arnaud, et al., "Document Object Model (DOM) Level 3 Core Specification Version 1.0." Available online at http://www.w3.org/tr/DOM-Level-3-Core, April 9, 2002.

[DOMEvents200] Pixley, Tom, editor, "Document Object Model (DOM) Level 2 Events Specification, Version 1.0." Available online at http://www.w3.org/tr/dom-level-2-events/, November 13, 2000.

[DOMEvents302] Le Hegaret, Philippe and Pixley, Tom, editors, "Document Object Model (DOM) Level 3 Events Specification, Version 1.0." Available online at http://www.w3.org/tr/dom-level-3-events, July 12, 2002.

[jUDDI04] Apache Open Source Java UDDI Directory. Available online at http://ws.apache.org/juddi/.

[MSXML] Microsoft Corporation, "XML Downloads." Available online at http://msdn.microsoft.com/xml/xmldownloads/default.aspx.

[NsureUDDI] Novell.s Open Source UDDI 2.0 Solution. Available online at http://www.novell.com/coolsolutions/feature/5699.html.

[RFC2396] Berners-Lee, T., et al., "Uniform Resource Identifier (URI): Generic Syntax." Available online at http://www.ietf.org/rfc/rfc2396.txt, August 1998.

[RFC2822] Resnick, T., "Internet Message Format." Available online at http://www.ietf.org/rfc/rfc2822.txt, April 2001.

[SAX01] About SAX. Available online at http://www.saxproject.org/, 2001.

[Schema001] XML Schema Part 0: Primer. Available online at http://www.w3.org/TR/xmlschema-0, May 2, 2001.

[Schema101] XML Schema Part 1: Structures. Available online at http://www.w3.org/tr/xmlschema-1, May 2, 2001.

[Schema201] XML Schema Part 2: Datatypes. Available online at http://www.w3.org/tr/xmlschema-2, May 2, 2001.

[SOAP002] Mitra, Nilo, "SOAP Version 1.2 Part 0: Primer." Available online at http://www.w3.org/tr/SOAP12-part0, June 26, 2002.

[SOAP102] Gudgin, Martin, et al., "SOAP Version 1.2 Part 1: Messaging Framework." Available online at http://www.w3.org/tr/SOAP12-part1, June 26, 2002.

[SOAP202] Gudgin, Martin, et al., "SOAP Version 1.2 Part 2: Adjuncts." Available online at http://www.w3.org/tr/SOAP12-part2, June 26, 2002.

[SOAPEmail02] Highland, Mary M., et al., "SOAP Version 1.2 Email Binding."Available online at http://www.w3.org/tr/SOAP12-email.html, July 3, 2002.

[UDDI02] Bellwood, Tom, et al., "UDDI Version 3.0." Available online at http://www.uddi.org/pubs/uddi_v3.htm, July 19, 2002.

[WSDL01] Christensen, Eric, et al., "Web Services Description Language (WSDL) 1.1."Available online at http://www.w3.org/tr/wsdl, March 15, 2001.

[WSRouting01] Nielsen, Henrik F. and Thatte, Satish, "Web Services Routing Protocol (WS-Routing)." Available online at http://msdn.microsoft.com/ws/2001/10/Routing/, October 23, 2001.

[XERCES2] Available online at http://xml.apache.org/xerces2-j/.

[XMLSpy] Available online at http://www.altova.com/xmlspy.

[XML00] Internet Engineering Task Force, "Extensible Markup Language (XML) 1.0 (Second Edition)." Available online at http://www.w3.org/tr/rec-xml, 6 October 2000.

[XMLEvents02] McCarron, Shane, et al., "XML Events: An Events Syntax for XML." Available online at http://www.w3.org/tr/xml-events/, August 12, 2002.

[XMLNS99] Namespaces in XML. Available online at http://www.w3.org/tr/REC-xml-names, January 14, 1999.

[XPATH99] Clark, James and Steve DeRose, "XML Path Language (XPATH) Version 1.0.". Available online at http://www.w3.org/tr/xpath, 16 November 1999.

[XPointer02] DeRose, Steve, et al., "XML Pointer Language (XPointer)." Available online at http://www.w3.org/tr/xptr, August 16, 2002.

[XSL01] Adler, Sharon, et al., "Extensible Stylesheet Language (XSL) Version 1.0." Available online at http://www.w3.org/tr/xsl, October 15, 2001.

[XSLT99] Clark, James, "XSL Transformations (XSLT) Version 1.0." Available online at http://www.w3.org/tr/xslt, November 16, 1999.

Chapter 6

[CCIS04] "Common Criteria for Information Security Evaluation January 2004, Version 2.2, Revision 256, 2004." Available online at http://niap.nist.gov/cc-scheme/cc_docs/cc_v22_part1.pdf.

[CCSS04] Computer Security Institute, "Computer Crime and Security Survey." Available online at http://www.gocsi.com/, 2004.

[IATF02] Information Assurance Solutions Technical Directors, "Information Assurance Technical Framework Release 3.1." Available online at http://www.iatf.net/framework_docs/version-3_1/index.cfm , September 2002.

[Orange85] Brand, S., et al., "Department of Defense Trusted Computer System Evaluation Criteria.". Available online at http://www.fas.org/irp/nsa/rainbow/std001.htm, December 1985.

[RFC2196] Fraser, B., editor, "RFC-2196 Site Security Handbook." Available online at http://www.ietf.org/rfc/rfc2196.txt.

[SUN04] Sun Microsystems, "How to Develop a Network Security Policy: An Overview of Internetworking Site Security." Available online at http://itpapers.zdnet.com/whitepaper.aspx?scid=285&kw=&dtid=0&sortby=dated&docid=984.

Chapter 7

[EXCC14N] Boyer, John, et al., "Exclusive XML Canonicalization Version 1.0." Available online at http://www.w3.org/tr/xml-exc-c14n/, July 18, 2002.

[Hughes02] Hughes, Merlin, et al., "Decryption Transform for XML Signature." Available online at http://www.w3.org/tr/xmlenc-decrypt, August 2, 2002.

[Roadmap02] Microsoft Corporation and IBM Corporation. "Security in a Web Services World: A Proposed Architecture and Roadmap, A Joint White Paper from IBM Corporation and Microsoft Corporation." Version 1.0. Available online at http://www-106.ibm.com/developerworks/webservices/library/ws-secmap, April 7, 2002.

[SOAPSE01] Brown, Allen, et al., "SOAP Security Extensions: Digital Signature" Available online at http://www.w3.org/tr/soap-dsig, February 6, 2001.

[WSPAssert02] Box, Don, et al., "Web Services Policy Assertions Language (WS-PolicyAssertions) Version 1.1." Available online at http://www.verisign.com/wss/WS-PolicyAssertions.pdf, May 28, 2002.

[WSPAttach04] Siddharth, Bajaj, et al., "Web Services Policy Attachment (WS-PolicyAttachment)." Available online at http://ifr.sap.com/ws-policy/ws-policyattachment.pdf, September 2004.

[WSPolicy04] Siddharth, Bajaj, et al., "Web Services Policy Framework (WS-Policy)." Available online at http://ifr.sap.com/ws-policy/ws-policy.pdf, September 2004.

[WSSecurity02] Atkinson, Bob, et al., "Web Services Security (WS-Security) Version 1.0." Available online at http://www-106.ibm.com/developerworks/webservices/library/ws-secure/, April 5, 2002.

[WSSP02] Della-Libera, Giovanni, et al., "Web Services Security Policy Language (WS-SecurityPolicy) Version 1.0." Available online at http://www.verisign.com/wss/WS-SecurityPolicy.pdf, December 18, 2002.

[XMLC14N] Boyer, John, et al., "Canonical XML Version 1.0, W3C Recommendation." Available online at http://www.w3.org/TR/xml-c14n, March 15, 2001.

[XMLEncrypt02] Eastlake, Donald, et al., "XML Encryption Syntax and Processing." Available online at http://www.w3.org/tr/xmlenc-core, August 2, 2002.

[XMLSig02] Eastlake, Donald, et al., "XML Signature Syntax and Processing." Available online at http://www.w3.org/tr/xmldsig-core, February 12, 2002.

[XPATHF02] Boyer, John, et al., "XML-Signature XPATH Filter 2.0." Available online at http://www.w3.org/tr/xmldsig-filter2, July 18, 2002.

Chapter 8

[Act05] Active-X.com, "What is Active X?" Available online at http://www.active-x.com/articles/whatis.htm.

[Byous98] Byous, Jon, "Java Technology: The Early Years." Available online at http://java.sun.com/features/1998/05/birthday.html.

[Cexx05] cexx.org, "The Trouble with Spyware and Advertising-Supported Software." Available online at http://www.cexx.org/problem.htm.

[CIS04] The Center for Internet Security, "CIS Level-1 Benchmark and Scoring Tool for Solaris." Available online at http://www.cisecurity.org/bench_solaris.html.

[Harold97] Harold, Elliotte, "The comp.lang.java FAQ List." Available online at http://www.ibiblio.org/javafaq/javafaq.html#xtocid90007.

[Kapersky04] Kapersky Labs, "Malware Trends in 2004." Available online at http://www.kaspersky.com/news?id=156802893.

[Keizer04] Keizer, Gregg, "New Bagel Worm Slows After Fast Start." Information Week (July 16 2004).

[Mage99] MageLang Institute, "Security." Available online at http://java.sun.com/developer/onlineTraining/Security/Fundamentals/Security.html#secAppletSecurityManager.

[McGraw97] McGraw, Gary and Edward Felten, "Understanding the Keys to Java Security.the Sandbox and Authentication." Available online at http://www.javaworld.com/javaworld/jw-05-1997/jw-05-security.html.

[McLean97] McLean, Fred, "The Exploder Control Frequently Asked Questions (FAQ)." Available online at http://dslweb.nwnexus.com/mclain/ActiveX/Exploder/FAQ.htm.

[NSA05] National Security Agency, "Security Configuration Guides." Available online at http://www.nsa.gov/snac/.

[NSTISSC00] NSTISSC, "Advisory Memorandum on Web Browser Security Vulnerabilities." Available online at http://csrc.nist.gov/publications/secpubs/web-secvul.pdf.

[OSI94] International Standards Organization, "ISO 7498-1 Information Processing Systems.Open Systems Interconnection.Basic Reference Model: The Basic Model, Technical Report." International Standards Organization, 1994.

[RFC2504] Guthman, E., et al., "RFC-2504 User.s Security Handbook." Available online at http://www.ietf.org/rfc/rfc2504.txt, February 1999.

[SIR01] Stubblefield, Adam, John Ioannidis, and Avriel D. Rubin, "Using the Fluhrer, Mantin, and Shamir Attack to Break WEP." Available online at http://www.workingwireless.net/wireless/Documents/wireless_extreme/wep_attack.html.

[Smith03] Smith, Sean, "Fairy Dust, Secrets, and the Real World.", (January 2003).

[Sun99] Sun Microsystems, "JAR File Specification." Available online at http://java.sun.com/j2se/1.4.2/docs/guide/jar/jar.html.

[TechNet05] Microsoft Corporation, "Microsoft Authenticode Reference Guide." Available online at http://www.microsoft.com/technet/archive/security/topics/secaps/authcode.mspx.

[vonAhn04] von Ahn, Luis et al., "CAPTCHA: Using Hard AI Problems for Security." Eurocrypt 2000. Available online at http://www-2.cs.cmu.edu/~biglou/captcha_crypt.pdf.

[WiFi03] WiFi Alliance, "Overview: WiFi Protected Access." Available online at http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf.

Chapter 9

[ASPAuth04] Microsoft Corporation, "Designing Distributed Applications with Visual Studio .NET, ASP.Net Authentication." Available online at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconASPNetAuthentication.asp, 2004.

[ASPAuthorize04] Microsoft Corporation, "Designing Distributed Applications with Visual Studio .NET, Authorization." Available online at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconAuthorization.asp, 2004.

[CNSS03] CNSS, "National Information Assurance (IA) Glossary, CNSS Instruction No. 4009." Available online at http://www.cnss.gov/Assets/pdf/cnssi_4012.pdf, May 2003.

[FIPS199 03] National Institute of Standards and Technology, "Standards for Security Categorization of Federal Information and Information Systems, Federal Information Processing Standards Publication (FIPS) 199.". Available online at http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf, December 2003.

[IATF02] Information Assurance Solutions Technical Directors, "Information Assurance Technical Framework Release 3.1.". Available online at http://www.iatf.net/framework_docs/version-3_1/index.cfm, September 2002.

[IISAuth04] Microsoft Corporation, "Designing Distributed Applications with Visual Studio .NET, IIS Authentication." Available online at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconIISAuthentication.asp, 2004.

[J2EE04] Armstrong, Eric, et al., "The J2EE 1.4 Tutorial.". Available online at http://java.sun.com/j2ee/1.4/docs/tutorial/doc/J2EETutorial.pdf, August 31, 2004.

[JAAS04] Mahmoud, Qusay, "Java Authentication and Authorization Service (JAAS) in Java 2, Standard Edition (J2SE) 1.4.". Available online at http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASRefGuide.html, August 9, 2004.

[Liberty04] Liberty Alliance, "Liberty Alliance Project." Available online at http://www.projectliberty.org.

[NECCC02] The National Electronic Commerce Coordinating Council, "Identity Management: A White Paper.". Available online at http://www.ec3.org/Downloads/2002/id_management.pdf, December 4-6, 2002.

[NIST800-12] National Institutes of Standards and Technologies, "An Introduction to Computer Security: The NIST Handbook." NIST Special Publication 800-12. Available online at http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf, October 1995.

[NIST800-33] National Institute of Standards and Technology, "Underlying Technical Models for Information Technology Security," NIST Special Publication 800-33. Available online at http://csrc.nist.gov/publications/nistpubs/800-33/sp800-33.pdf, December 2001.

[NIST800-63] National Institutes of Standards and Technologies, "Electronic Authentication Guidelines," NIST Special Publication 800-63 Version 1.0.1. Available online at http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf, September 2004.

[OracleASO01] Oracle Corporation, "Oracle Advanced Security 9i: Enterprise User Security: An Oracle Whitepaper." Available online at http://www.oracle.com/technology/deploy/Security/aso/pdf/EUS901.doc, August 2001.

[OracleLabel04] Oracle Corporation, "Oracle Label Security: An Oracle Data Sheet." Available online at http://www.oracle.com/technology/deploy/Security/pdf/ds_security_db_labelsecurity_10r1_0104.pdf, January 2004.

[Orange85] Brand, S., et al., "Department of Defense Trusted Computer System Evaluation Criteria.". Available online at http://www.fas.org/irp/nsa/rainbow/std001.htm, December 1985.

[PAM96] Samar, Vipin, "Unified Login with Pluggable Authentication Modules (PAM)." CCS .96, New Delhi, India. Available online at http://portal.acm.org/citation.cfm?id=238177.

[Passport04] Microsoft Corporation, "Microsoft .NET Passport." Available online at http://www.passport.net/.

[RBAC04] American National Standards Institute, "Role Based Access Control." Document Number ANSI/INCITS 359-2004. Available online at http://csrc.nist.gov/rbac/, February 3, 2004.

[RFC1510] Kohl, J., et al., "The Kerberos Network Authentication Service (V5)." Available online at http://www.ietf.org/rfc/rfc1510.txt, September 1993.

[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0." Available online at http://www.ietf.org/rfc/rfc2246.txt, January 1999.

[RFC2251] Wahl, M. et al., "Lightweight Directory Access Protocol (v3)." Available online at http://www.ietf.org/rfc/rfc2251.txt, December 1997.

[RFC2459] Houslet, R., et al., "Internet X.509 Public Key Infrastructure Certificate and CRL Profile.". Available online at http://www.ietf.org/rfc/rfc2459.txt, January 1999.

[RFC2617] Franks, J., et al., "HTTP Authentication: Basic and Digest Access Authentication.". Available online from http://www.ietf.org/rfc/rfc2617.txt, June 1999.

[RFC2818] Rescorla, E., "HTTP Over TLS.". Available online at http://www.ietf.org/rfc/rfc2818.txt, May 2000.

[Rule97] Didriksen, Tor, Rule Based Database Access Control.A Practical Approach, ACM Workshop on Role Based Access Control, ACM Press, 1997. Available online at http://portal.acm.org/citation.cfm?id=266772.

[SAML04] Hughes, John, et al., "Technical Overview of the OASIS Security Assertion Markup Language (SAML) V1.1.". Available online at http://www.oasis-open.org/committees/documents.php?wg_abbrev=security, 11 May 2004.

[SQLServer03] Chander, Girish, et al., "SQL Server 2000 SP3 Security Features and Best Practices.". Available online at http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec00.mspx, May 16, 2003.

[Stallings95] Stallings, William, Network and Internetwork Security: Principles and Practice. Prentice Hall, 1995.

[Websters04] Merriam Webster, "Merriam Webster Online." Available online at http://www.m-w.com.

[WSFederation03] Bajaj, Siddharth, et al., "Web Services Federation Language (WS-Federation).". Available online at http://www-106.ibm.com/developerworks/webservices/library/ws-fed/, July 8, 2003.

[WSReferal01] Nielsen, Henrik F., et al., "Web Services Referral Protocol (WS-Referral).". Available online at http://msdn.microsoft.com/ws/2001/10/Referral/, October 23, 2001.

[WSRouting01] Nielsen, Henrik F. and Satish Thatte, "Web Services Routing Protocol (WS-Routing).". Available online at http://msdn.microsoft.com/ws/2001/10/Routing/, October 23, 2001.

[WSSecurity04] Nadalin, Anthony, et al., "Web Services Security: SOAP Message Security 1.0 (WS-Security 2004).". Available online at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf, March 15, 2004.

[WSTrust04] Anderson, Steve, et al., "Web Services Trust Language (WS-Trust) Version 1.1.". Available online at http://www-106.ibm.com/developerworks/library/ws-trust/, May 2004.

[XACML03] Godik, Simon, et al., "eXtensible Access Control Markup Language (XACML) Version 1.0." Available online at http://www.oasis-open.org/committees/documents.php/2406/OASIS-XACML-1.0.pdf, February 18, 2003.

Chapter 10

[ARCFOUR] Kaukonen, K. and R. Thayer, "A Stream Cipher Encryption Algorithm .Arcfour.." Available at http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt.

[McNett99] McNett, David, "US Government.s Encryption Standard Broken in Less Than a Day." Available online at http://www.distributed.net/des/release-desiii.txt.

[NIST77] National Institutes for Standards and Technologies, Federal Information Processing Standards Publication (FIPS PUB) 46, Data Encryption Standard (DES). January 15, 1997. Superseded by FIPS PUB 46-1, 46-2, 46-3.

[NIST88] National Institutes for Standards and Technologies, Data Encryption Standard (DES). FIPS Pub 46-2. Available at http://www.itl.nist.gov/fipspubs/fip46-2.htm.

[NIST99] National Institutes for Standards and Technologies, "Announcing Draft Federal Information Processing Standard (FIPS) 46-3, Data Encryption Standard (DES), and Request for Comments." Available at http://csrc.nist.gov/cryptval/des/fr990115.htm.

[RSA78] Rivest, R.L., A. Shamir, and L.M. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems." Communications of the ACM (2)21 (1978): 120.126.

Chapter 11

[EXCC14N] Boyer, John, et al., "Exclusive XML Canonicalization Version 1.0." Available online at http://www.w3.org/tr/xml-exc-c14n, July 18, 2002.

[Hughes02] Hughes, Merlin, et al., "Decryption Transform for XML Signature." Available online at http://www.w3.org/tr/xmlenc-decrypt, August 2, 2002.

[Kerberos04] Nadalin, Anthony, et al., "Web Services Security Kerberos Token Profile 1.0, Working Draft 05.". Available online at http://www.oasis-open.org/committees/download.php/8266/oasis-xxxxxx-wss-kerberos-token-profile-1%200.pdf, July 27, 2004.

[RFC2253] Wahl, M., et al., "Lightweight Directory Access Protocol (v3):UTF-8 String Representation of Distinguished Names.". Available online at http://www.ietf.org/rfc/rfc2253.txt, December 1997.

[Roadmap02] IBM Corporation and Microsoft Corporation, "Security in a Web Services World: A Proposed Architecture and Roadmap: A Joint White Paper from IBM Corporation and Microsoft Corporation." Version 1.0. Available online at http://www-106.ibm.com/developerworks/webservices/library/ws-secmap, April 7, 2002.

[SAMLProf04] Hallam-Baker, Phillip, et al., "Web Services Security: SAML Token Profile Working Draft 15.". Available online at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf, July 19, 2004.

[Username04] Nadalin, Anthony, et al., "Web Services Security Username Token Profile 1.0." Available online at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf, March 15, 2004.

[WSSecurity02] Atkinson, Bob, et al., "Web Services Security (WS-Security) Version 1.0." Available online at http://www-106.ibm.com/developerworks/webservices/library/ws-secure/, April 5, 2002.

[WSTrust04] Anderson, Steve, et al., "Web Services Trust Language (WS-Trust) Version 1.1." Available online at http://www-106.ibm.com/developerworks/library/ws-trust/, May 2004.

[X50904] Hallam-Baker, Phillip, et al., "Web Services Security X.509 Certificate Token Profile 1.0.". Available online at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf, March 15, 2004.

[XMLC14N] Boyer, John, et al., "Canonical XML Version 1.0, W3C Recommendation.". Available online at http://www.w3.org/TR/xml-c14n, March 15, 2001.

[XMLEncrypt02] Eastlake, Donald, et al., "XML Encryption Syntax and Processing.". Available online at http://www.w3.org/tr/xmlenc-core, August 2, 2002.

[XMLSig02] Eastlake, Donald, et al., "XML Signature Syntax and Processing." Available online at http://www.w3.org/tr/xmldsig-core, February 12, 2002.

[XPATHF02] Boyer, John, et al., "XML-Signature XPATH Filter 2.0." Available online at http://www.w3.org/tr/xmldsig-filter2, July 18, 2002.

Chapter 12

[AnalystsNotebook] Investigative Analysis Software, Analysts Notebook homepage. Available online at http://www.i2inc.com.

[Argus] QoSient, LLC. Argus homepage. Available online at http://www.qosient.com/argus/index.htm.

[MOWS04] Sedukhin, Igor. Web Services Distributed Management: Management of Web Services (WSDM-MOWS) 1.0, Committee Draft. OASIS, 2004. Available online at http://docs.oasis-open.org/wsdm/2004/12/wsdm-mows-1.0.pdf, December 10, 2004.

[MUWS04] Vambenepe, William, Web Services Distributed Management: Management Using Web Services (MUWS 1.0) Part 1, Committee Draft. OASIS, 2004. Available online at http://docs.oasis-open.org/wsdm/2004/12/wsdm-muws-part1-1.0.pdf, December 9, 2004.

[Netmap] Sourceforge.net, NetMap Generator homepage. Available online at http://netmap.sourceforge.net/.

[NMAP04] Insecure.org, "Nmap Free Security Scanner, Tools & Hacking Resources." Available online at http://www.insecure.org.

[ORA98] Couchman, Jason S, ORACLE Certified Professional DBA Certification Exam Guide. McGraw Hill, 1998: pp. 469.478.

[Prelude] Prelude Project, "Prelude Hybrid IDS." Available online at http://www.prelude-ids.org.

[Snort] Snort.org, "Snort: The Open-Source Intrusion Detection System." Available online at http://www.snort.org.

[TCPTrace] TCP Trace homepage. Available online at http://jarok.cs.ohiou.edu/software/tcptrace/tcptrace.html.

[Tripwire] Tripwire, Inc. Tripwire home page. Available online at http://www.tripwiresecurity.com .

[W3Clog] Hallam-Baker, Phillip and Brian Behlendorf, "Extended Log File Format, W3C Working Draft WD-logfile-960323." Available online at http://www.w3.org/TR/WD-logfile.html.

[XMLEvents03] McCarron, Shane, et al., "XML Events: An Events Syntax for XML." W3C, 2003. Available online at http://www.w3.org/tr/xml-events/, October 14, 2003.

Chapter 13

[Gambetta00] Gambetta, Diego, "Can We Trust Trust?" Trust: Making and Breaking Cooperative Relations, electronic edition, edited by Diego Gambetta. Department of Sociology, University of Oxford, 2000: pp. 213.237. Available online at http://www.sociology.ox.ac.uk/papers/gambetta213-237.pdf.

[Good00] Good, David, "Individuals, Interpersonal Relations and Trust." Trust: Making and Breaking Cooperative Relations, electronic edition, edited by Diego Gambetta. Department of Sociology, University of Oxford, 2000: pp. 31.48. Available online at http://www.sociology.ox.ac.uk/papers/good31-48.pdf.

[Luhmann00] Luhmann, Niklas "Familiarity, Confidence, Trust: Problems and Alternatives." Trust: Making and Breaking Cooperative Relations, electronic edition, edited by Diego Gambetta. Department of Sociology, University of Oxford, 2000: pp. 94.108. Available online at http://www.sociology.ox.ac.uk/papers/luhmann94-107.pdf.

[OSI94] International Standards Organization, ISO 7498-1 Information Processing Systems.Open Systems Interconnection.Basic Reference Model: The Basic Model, Technical Report, 1994.

[RFC3324] Watson, M., "RFC-3324 Short Term Requirements for Network Asserted Identity." Available online at http://www.ietf.org/rfc/rfc3324.txt.

[Websters04] Merriam Webster, "Merriam Webster Online." Available online at http://www.m-w.com .

[Williams00] Williams, Bernard, "Formal Structures and Social Reality." Trust: Making and Breaking Cooperative Relations, electronic edition, edited by Diego Gambetta. Department of Sociology, University of Oxford, 2000: pp. 3.13. Available online at http://www.sociology.ox.ac.uk/papers/williams3-13.pdf.

[WSFederation03] Bajaj, Siddharth, et al., "Web Services Federation Language (WS-Federation)." Available online at http://www-106.ibm.com/developerworks/webservices/library/ws-fed/, July 8, 2003.

[WSTrust04] Anderson, Steve, et al., "Web Services Trust Language (WS-Trust) Version 1.1." Available online at http://www-106.ibm.com/developerworks/library/ws-trust/, May 2004.

Chapter 14

[SAML03] Maler, Eve, et al., "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1." Available online at http://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf, September 2, 2003.

[SAML04] Hughes, John, et al., "Technical Overview of the OASIS Security Assertion Markup Language (SAML) Version 1.1." Available online at http://www.oasis-open.org/committees/documents.php?wg_abbrev=security, July 22, 2004.

[WSFederation03] Bajaj, Siddharth, et al., "Web Services Federation Language (WS-Federation)." Available online at http://www-106.ibm.com/developerworks/webservices/library/ws-fed/, July 8, 2003.

[WSMetadata04] Ballinger, Keith, et al., "Web Services Metadata Exchange (WS-MetadataExcahnge).". Available online at http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-metadataexchange.pdf, September 2004.

[WSSecureConversation04] Anderson, Steve, et al., "Web Services Secure Conversation Language (WS-SecureConversation), Version 1.1.". Available online at http://www-106.ibm.com/developerworks/library/ws-secon/, May 2004.

[WSTrust04] Anderson, Steve, et al., "Web Services Trust Language (WS-Trust) Version 1.1.", May 2004. Available online at http://www-106.ibm.com/developerworks/library/ws-trust/.

[XACML03] Godik, Simon, et al., "eXtensible Access Control Markup Language (XACML) Version 1.0.". Available online at http://www.oasis-open.org/committees/download.php/2406/oasis-xacml-1.0.pdf, February 18, 2003.

[XBULK02] Hughes, Merlin, editor, "XML Key Management Specification Bulk Operations." W3C Working Draft. Available online at http://www.w3.org/TR/xkms2-xbulk/, March 18, 2002.

[XKMS04] Hallem-Baken, Phillip, editor, "XML Key Management Specification Version 2.0.". Available online at http://www.w3.org/TR/xkms2/, April 5, 2004.

Chapter 15

(none)

Chapter 16

[iAnywhere] iAnywhere Solutions homepage. Available online at http://www.ianywhere.com.

[IBM03] Studwell, Thomas, et al., "Adaptive Services Framework Version 1.0." Available online at http://www-03.ibm.com/autonomic/pdfs/Cisco_IBM_ASF_100.pdf, October 14, 2003.

[Kocher03] Kocher, Paul, et al., "Self-Protecting Digital Content, A Technical Report from the CRI Content Security Research Initiative." Cryptography Research, Inc. (CRI), 2003. Available online at http://www.cryptography.com/technology/spdc/white_papers.html.

[ODRLNet] Open Digital Rights Initiative Homepage. Available online at http://odrl.net.

[ODRL02] Iannella, Remato, "Open Digital Rights Language (ODRL) Version 1.1," W3C Note. Available online at http://www.w3c.org/TR/2002/NOTE-odrl-20020919, September 19, 2002.

[REL04] DeMartini, Thomas, et al., "Web Services Security Rights Expression Language (REL) Token Profile 1.0." Available online at http://docs.oasis-open.org/wss//oasis-wss-rel-token-profile-1.0.pdf, December 19, 2004

[Rightscom03] Rightscom Ltd, "The MPEG-21 Rights Expression Language, A White Paper," Version 1.0. Available online at http://www.contentguard.com/whitepapers/MPEG21_REL_whitepaper_Rightscom.pdf, July 14, 2003

[XrML] XrML Organization Homepage. Available online at http://xrml.org.

Appendix A

[CIS04a] The Center for Internet Security. Available online at http://www.cisecurity.org, 2004.

[NSAIAD04] National Security Agency, "Information Assurance Directorate, Central Security Service." Available online at http://www.nsa.gov/snac/, 2004.

[OSI94] International Standards Organization, "ISO 7498-1 Information Processing Systems.Open Systems Interconnection.Basic Reference Model: The Basic Model," Technical Report, 1994.

[RFC2504] Guthman, E., et al., "RFC-2504 User.s Security Handbook." Available online at http://www.ietf.org/rfc/rfc2504.txt, Febrary 1999.

[RFC3838]Barbir, A., et al., "RFC-3838 Policy, Authorization, and Enforcement Requirements of the Open Pluggable Edge Services (OPES).". Available online at http://www.ietf.org/rfc/rfc3838.txt, August 2004.

Appendix B

(none)