10th International World Wide Web Conference (WWW10)
Hong Kong, May 1-5, 2001
Review by Mary Ellen Zurko
July 10, 2001
The 10th International World Wide Web conference was held May 1 - 5 in Hong Kong. All papers and posters, and some presentations are available off www10.org.hk/. This report highlights items of interest to security folks.
Tim Berners-Lee gave the initial keynote talk at WWW10, "The Web, Phase Two". His presentation is at www.w3.org/2001/Talks/0501-tbl/slide1-0 . His architecture for the future of the web included what he terms social protocols, which includes privacy, XML signatures, XML encryption, Digital Rights Management, and P3P. He said that the bar is set too low for patents; there is no good search, and there's an incentive to make them obscure so that it's hard to find out the applicability. Workflow particularly interests Tim currently. He sees it as a function of all messages, with multiple agents, somewhat based in pi calculus. He asked everyone to think about what alternative technologies we'd like to build if we could from a clear plot of land up (hardware, software, infrastructure, everything). There are needs for privacy and security functions outside an organization, but companies need assurances to use them. Tim thinks trust is important; it requires proofs and XML signatures. Agents need trust (so they can operate on our behalf).
Chris Jones of Microsoft gave a keynote talk, "Next Generation Internet Opportunities". Privacy in the form of P3P support will be in IE. It gives users control of their data. They can, for example, always prompt when they receive a cookie. I asked Microsoft at their booth if I will be able get the desirable cookie behavior I currently have with Navigator then (I don't accept cookies that are not restricted to the originating server, and I get a prompt on the others). They will allow users to specify 1st party or 3rd party cookie actions. The prompt will give you the options to allow, deny, and to see more with detail including the P3P policy (called the compact policy). I put in a plea for a weenie option where all the details would always be shown (because that's what I want), but I understood that they might not want to support it. With Hailstorm, we each have a web service working for us. The user identity is managed by the privacy web service. The identity service is Passport. The Hailstorm success factors include privacy and security. The Q&A after the Microsoft presentation was the most robust I saw at the conference. Attendees were irate that IE6 will not have full XHTML support, which leads to problems with math and SVG support. The Microsoft party line of using namespaces and plug-ins brought comments about plug-in hell and namespace collision. One comment called Hailstorm the most far reaching and least concrete topic they covered. There were questions about deployment, scaling, reliability, and cost and concern that it would be a set of services run by Microsoft. The reply was that companies can use and extend it, though there will be federation issues. There will calls for full CSS1 support in IE for the Mac, and the HTML that Powerpoint generates to follow standards. Chris replied that they have compatibility issues with the HTML generation issues.
John S. Chen of Sybase gave a keynote talk called "Best Practices in Moving your Business to the Web". He emphasized building an extensible and open foundation for the web. According to a Gartner Group survey on budgets, enhancing security is the #2 Top IT Priority. According to the same survey, of the Top 10 Business trends by impact (pain points), #4 is growing security and privacy concerns. The typical Fortune 2000 company is operating in 6 countries with heterogeneous hardware and networking, multiple DBMS systems and 52 applications. When questioned about standards and interoperability, he said they were required for his vision of the foundation, and mentioned J2EE, Java Enterprise Beans, and adapter APIs.
Robert S. Sutor: of IBM Corporation gave a keynote on "Web Services: Growing Business on the Internet without Chaos". His vision is that businesses come to each other and invoke services with the appropriate security, reliability and privacy. He's projecting an architecture that moves from tightly coupled systems (monolithic applications) to loosely coupled systems (choreographed, scripted components). IBM strategy is to support and help lead open standards such as W3C, OASIS, and ebXML, and to produce quality code and make it available through alpha Works. He sees Universal Description, Discovery and Integration (UDDI) based registries for business services at a very low level, that can be used inside the firewall. Other services/brokers will indicate that quality of companies, like a "Better Business Bureau", using SOAP messages. Service negotiation may include a choice of security. Security and privacy cut across all levels of his architectural document. We need security standards, privacy policies, etc.
There was a panel on "Internet Privacy Approaches Around the World". The slides from the talk by Stepen Lau, Privacy Commissioner for Personal Data, Hong Kong SAR, are at www10.org.hk/program/society/sn1/Sp030501_files/v3_document.htm. The data privacy complaints in HK are 70% Private sector, 20% public sector, and 10% personal. The slides outline the ordinance and other guidelines in effect. They want win-win approach; they do not want to impede business. They asked businesses about the benefits from data privacy protection ordinance. From 1997 to 2000, the percentage of companies seeing a benefit in terms of public image of the organization, personal data management, customer relationship, employee relationship, and accuracy of data records has increased. Rigo Wenning, a policy analyst for W3C, presented the European lawyer perspective. The early privacy law in Germany in 1970 was initially a defense against governments registering citizens. The OECD guidelines in 1981 provided a base line for protection to allow data flow, because of a fear that trans-border data flow would be inhibited and cause problems for economic development. In 1984 the German court said that data protection is a human right. Rigo typifies European models as split between the French committee model, which is adaptable, and the German/Scandinavian model, which uses rules. There is a notion of data self determination, a prohibition of processing of data without consent unless there is a law/provision specifically allowing it. There are a large array of laws allowing normal business. The US is seen as a crime haven where data can leak. He sees the future including new regulations in telemarkets and ecommerce and improving the situation with technology (anonymizers, pseudonymous use, etc.). John Bacon-Shone of the University of Hong Kong emphasized the need for user trust and confidence that would come from knowledge of what happens to personal data. Otherwise, people will assume the worst. Surveys on the importance of privacy are naive. When one asks "Does privacy affect your purchasing decision", of course people say yes. Some types of data are more sensitive than others, both personally and culturally. They did surveys on a range of data and how private it is considered to be. Religion was at bottom of the scale in HK. In mainland China, he imagines it's different (at least for Catholics). Personal income is very personal in HK. In some European countries it's a matter of public record.
There were three security papers and one privacy paper (in the E-Commerce session).
The E-Commerce session was chaired by Oliver Spatscheck (AT&T Research).
"On Granting Limited Access to Private Information" by Frans A. Lategan and Martin S. Olivier (Rand Afrikaans University) was presented by Frans. The paper describes a classification of private information based on the purpose it was gathered for. The categories are: 1) used to verify the result of a calculation, 2) required for a third party for purposes directly linked to the transaction, 3) might be required for future use, 4) identification or authentication of customer, 5) necessary for use by the requesting organization to complete the transaction, and 6) everything else. The paper then gives an example book buying application that uses their proposed protocol. The protocol is Kerberos based. It uses privacy policies of both the customer and vendor to determine which information should change hands. It uses Kerberos tickets to give third parties access to required information, and to implement time outs on using information via the trusted services. Q&A pointed out that some categories are more specific than others. Perhaps there are other categories that are not included and that are interesting, such as profiling or marketing uses. This involves extra work for businesses and users, and it's not clear what incentives would support a structure like this. Trading information for other information seemed not to be covered. Customers need to make a lot of decisions at the time of a transaction on the use of information (such as how long into the future a valid use might occur).
The Access Control & Security session was chaired by Jose Kahan (W3C/INRIA).
"Fine Grained Access Control for SOAP e-Services" by Ernesto Damiani, (University of Milan), Sabrina De Capitani di Vimercati, Stefano Paraboschi and Pierangela Samarati was presented by Ernesto. The work adds fine grained authorizations to SOAP in the XML payload. It supports identity, location, groups or roles as the subject of an authorization. Their DTD for> their custom header entry for SOAP subject credentials also includes issuer and validity information. They give an example using XML-SPKI. The evaluation of a request produces a filtered version of the SOAP request tree. They have a requirement for the authorization information to be easily human readable in XML format. Q&A brought out that one of their milestones is user testing in the OASIS membership. There was some concern that their pruning authorization filter would produce invalid XML from valid. The scheme on SOAP calls is very loose. They can apply the pruning to any XML document, even if they don't know the DTD.
"Protecting Web Servers from Distributed Denial of Service Attacks" by Frank Kargl, Joern Maier, and Michael Weber (University of Ulm) was presented by Michael. The paper categories DOS attacks into system attacks vs. attacks on part of the system (such as the TCP/IP stack), and bug vs. overload attacks. The architecture of DDOS tools such as Trinoo, Tribe Flood Network, TFN2K and stacheldraht is discussed. Their protection environment is based on Class Based Routing mechanisms in the Linux kernel and a prepended load balancing server (Linux Virtual Server). Firewalls protect the servers from unauthorized access. If a possible DoS attack is detected, it gradually slows down traffic from the origination IP address by assigning it to slower and slower queues. Outgoing traffic to that IP is also slowed down. They conducted a number of performance tests with different DDoS attacks. The environment does not protect CPU attacks through CGI scripts. Most attack tools use bandwidth. Q&A brought out that the tool is absolutely automated ; there is no log checking. It is not available in open source software yes, but if you send the authors email and you'll get it. It's based on MS thesis work. There was some discussion about the threatened cyber war escalation. We were in China around May 1, and it was also the 82 year anniversary of the 1919 student movement. The overhead for running the environment is "really low" but there is no information in the paper. You can configure how often to check the queues. Someone pointed out that the trend towards web services will also institute CPU overhead (and be a potential target). Everything on the server side with high CPU vs. communication load is still a problem for this approach.
"Batch Rekeying for Secure Group Communications" by Xiaozhou Steve Li, Yang Richard Yang, Mohamed G. Gouda, and Simon S. Lam (University of Texas at Austin) was presented by Xiaozhou Steve. Their work looks at key graphs for group key management, in particular key trees and key stars. Batch rekeying addresses inefficiency and out-of-sync problems. They have developed a marking algorithm for key trees to control where to place new users and minimize the number of encryptions and keep the key tree balanced. They performed worst and average case analysis, and some simulations. If the number of requests is not large in a batch, four is the best key tree degree. Otherwise, key star outperforms small-degree key trees. Q&A brought out that they are working on developing security vs. performance tradeoff recommendations for particular application domains that specify what rekey interval is appropriate. Their recommendations on degree size hold whether or not the number of joins is the same as the number of leaves. They plan to implement their work in an applications.
Developer's Day www10.org.hk/program/w10-devday.html started with
some finance keynotes. There were a bunch of last minute substitutions, so
I'm not sure exactly who gave just what talk. A local VP from MasterCard
gave a talk with a bunch of fascinating tidbits. There is no inter bank
clearing in China. Businesses have 5 terminal to process credit cards.
There is a current effort to set up a central switching for inter-bank card
clearing and settlement in 16 cities. He also talked about a bunch of
different Asian smart card efforts, many of which used Mondex. Many use a
MULTOS based chip, can load new applications, and handle loyalty points and
public key certificates. MULTOS has an E6 ITSEC security certification,
which he said is that highest by a chip OS so far. He said that MasterCard
fraud is 8 basis points (.08%) while MasterCard Internet fraud is 1/2 a
basis point (.005%). They are looking at having a data field that
identifies internet transactions. In the future, "true" credit cards take
off in PRC (more people are asking for bank loans right now) and more
cities will be linked up to nationwide card clearing systems. B2B
e-commerce will become more common. Chip deployment will offer multiple