Can someone please let me know what are the topics that are included in "message level security" with regards to certification, as I am getting loads of different results on googling, so would like to keep the topic scope to certification only. I found that following topics discuss message level security but it looks like a very huge topic in itself, can you help me narrow down the scope.
- Configuring Message Security Using XWSS
XML Digital signature API
XKMS (XML Key Management Specification)
SAML (Security Assertion Markup Language)
- XML Digital Sinature API
Do you have Ivan Krizsan's version 5 of the exam study guide? If not, you can sign up a free slideshare.com account to download one.
In Ivan's notes, he talks about message level security vs HTTPS.
- encrypt the whole message
- intermediate nodes cannot decrypt the whole message and that is why the message cannot be sent via intermediate nodes.
- message is decrypted once it leaves the wire. Security is not guaranteed at the time it arrives at the receiver.
Message level security:
- encrypt only part(s) of the message
-intermediate nodes don't need to decrypt those parts and can still process other part(s) the nodes understand.
- message is encrypted when it leaves the wire. Security is guaranteed.
For those topics:
Configuring Message Security Using XWSS
-XML Encryption - need to know WS-Security uses it to encrypt a message, read MZ's notes version 5 for detail.
-XML Digital signature API - need to know enveloping signature, enveloped signature, detached signature
-KMS (XML Key Management Specification) - manage key's creation, recovery, register...
-SAML (Security Assertion Markup Language) - need to know it is used for single sign on (sso), authentication and authorization.
-XACML - for access control (authorization)