Standards for Technology in Automotive Retail
STAR Web Services Message-Level Security is based on [WS-Security 2004], [WS-Security 2004Addendum], [XMLDSIG] and [XMLEncryption].
STAR Web Services provides five options for Identification and Authentication of a message sender at the Message-Level:
Digital Certificate associated with a Digital Signature on the message
Username with Password hash
Username and Password in clear-text over HTTPS
Username with Password encrypted, enabled by out-of-band Digital Certificate
Binary Security Token shared secret
Digital Signatures applied to a message MUST be in full compliance with [XMLDSIG], [WS-Security 2004 2004] and [WS-Security 2004Addendum]. STAR RECOMMENDS that digital certificates are the basis for signature and that passwords should not be used as the basis for digital signature.
STAR does not define how a message receiver authorizes a Username / Password. If a Username / Password combination is employed, the message MUST be compliant to [WS-Security 2004]. This option is fully described in [WS-Security 2004], in this option the Password is not sent as a part of the message, instead a hash of the password is calculated from:
The Password itself
A creation timestamp
STAR Web Services Messages may contain Clear-text Username / Passwords if they are transported over HTTPS. In this option, SSL is providing encryption of all data in transit.
Username / Password Encrypted out-of-band Digital Certificates
In this option, the Username is sent as clear-text and password is sent encrypted in accordance with XMLEncryption and [WS-Security 2004]. The digital certificate required to encrypt the Password is exchanged out-of-band between the receiver and the sender. The sender encrypts the Password using the Receiver's public key as the basis of encryption. The receiver decrypts the password using its private key.
In this option, the parties agree to the format of a binary token that serves as a shared secret, this token is exchanged out-of-band between the parties, and is used as the basis for encryption and decryption of the message.
Beginning in 2007 STAR will support SAML as an approved message-level security protocol for the STAR Web Service. SAML is an XML-based framework for communicating security and identity information between computing entities. SAML promotes interoperability between disparate security systems by providing a common language and semantics for exchanging security details.
There are currently several versions of SAML in wide use and security appliance vendors may support some versions of SAML but not others. The STAR Web Service implementation of SAML has been designed to be version-neutral to allow for maximum flexibility for those members wishing to implement it.
For detailed SAML implementation information, please refer to the 2007 edition of the STAR Web Services Specifications document.