OASIS Specification Template s2

Total Page:16

File Type:pdf, Size:1020Kb

OASIS Specification Template s2

1

2Web Services Quality Factors v1.0

3Draft, 284 December October 2007

4Artifact Identifier: 5 wsqm-ws_quality_factors-wd-v1.0-r041 6Location: 7 http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wsqm 8Artifact Type: 9 WS-QualityFactorsl 10Technical Committee: 11 OASIS Web Services Quality Model TC 12Chair(s): 13 Eunju Kim, National Information Society Agency 14 Dugki Min, Konkuk University 15Editor(s): 16 Eunju Kim, National Information Society Agency 17 Yongkon Lee, Korea Polytechnic University 18 Guil Kang, National Information Society Agency 19OASIS Conceptual Model topic area: 20 Web Services, SOA 21Abstract: 22 There are several specifications describing the quality of software, which do not consider the 23 characteristics of service-oriented software. Therefore, new way of describing the quality of Web 24 services is needed. The purpose of this document is to provide the quality factors for Web 25 Services quality management and the standard for quality factors in developing and using the 26 Web Services. Thus, we define the consistent and acceptable conceptual factors of Web 27 Services quality, which are agreed by associates in directly or indirectly related. 28 29 This document will propose the Web Services quality factors which has service-oriented 30 characteristic. This Web Services quality factors is composed of three groups such as Business 31 Value Quality Group, Service Measurement Quality Group and System Information Quality Group 32 in the point of achieving the quality information. Each group has several quality factors, which 33 also has several sub-quality factors. 34 35 This document provide criteria for the quality of Web Services in case of defining the test 36 guideline and requirements which occurs reciprocal actions (i.e. development entrustment, 37 various contracts, quality specification, operation entrustment, operation management and etc.) 38 between Web Services associates This document can be used when contracting Web Services 39 quality level between Web Services providers and consumers, and supervising the Web Services 40 in compliance with the contracted quality level. This document describes the definition, 41 classification, sub quality factors and related standard. 42Status: 43 This document was last revised or approved by the WSQM TC on the above date. The level of 44 approval is also listed above. Check the current location noted above for possible later revisions 45 of this document. This document is updated periodically on no particular schedule. 1wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 2Copyright © OASIS Open 2007. All Rights Reserved. Page 1 of 35 46 Technical Committee members should send comments on this specification to the Technical 47 Committee’s email list. Others should send comments to the Technical Committee by using the 48 “Send A Comment” button on the Technical Committee’s web page at www.oasis- 49 open.org/committees/wsqm. 50 For information on whether any patents have been disclosed that may be essential to 51 implementing this specification, and any offers of patent licensing terms, please refer to the 52 Intellectual Property Rights section of the Technical Committee web page (www.oasis- 53 open.org/committees/wsqm/ipr.php. 54 The non-normative errata page for this specification is located at www.oasis- 55 open.org/committees/wsqm.

4wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 5Copyright © OASIS Open 2007. All Rights Reserved. Page 2 of 35 56Notices

57OASIS takes no position regarding the validity or scope of any intellectual property or other rights that 58might be claimed to pertain to the implementation or use of the technology described in this document or 59the extent to which any license under such rights might or might not be available; neither does it represent 60that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to 61rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made 62available for publication and any assurances of licenses to be made available, or the result of an attempt 63made to obtain a general license or permission for the use of such proprietary rights by implementors or 64users of this specification, can be obtained from the OASIS Executive Director. 65OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, 66or other proprietary rights which may cover technology that may be required to implement this 67specification. Please address the information to the OASIS Executive Director. 68Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. 69This document and translations of it may be copied and furnished to others, and derivative works that 70comment on or otherwise explain it or assist in its implementation may be prepared, copied, published 71and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice 72and this paragraph are included on all such copies and derivative works. However, this document itself 73may not be modified in any way, such as by removing the copyright notice or references to OASIS, except 74as needed for the purpose of developing OASIS specifications, in which case the procedures for 75copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to 76translate it into languages other than English. 77The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors 78or assigns. 79This document and the information contained herein is provided on an "AS IS" basis and OASIS 80DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY 81WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR 82ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 83The names "OASIS", [insert specific trademarked names and abbreviations here] are trademarks of 84OASIS, the owner and developer of this specification, and should be used only to refer to the organization 85and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, 86while reserving the right to enforce its marks against misleading uses. Please see http://www.oasis- 87open.org/who/trademark.php for above guidance. 88

7wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 8Copyright © OASIS Open 2007. All Rights Reserved. Page 3 of 35 89Table of Contents

901 Introduction ...... 6 91 1.1 What is Web Service Quality Factors? ...... 6 92 1.2 Terminology ...... 7 93 1.3 Normative References ...... 8 942 Business Value Quality ...... 9 95 2.1 Definition and Classification ...... 9 96 2.1.1 Definition ...... 9 97 2.1.2 Classification ...... 9 98 2.2 Sub Quality Factors ...... 9 99 2.2.1 Service Cost ...... 9 100 2.2.2 Service Suitability ...... 10 101 2.2.3 Service Aftereffect ...... 10 102 2.2.4 Service Brand Value ...... 10 103 2.3 Relationships to Other Standards ...... 11 1043 Service Level Measurement Quality ...... 12 105 3.1 Definition and Classification ...... 12 106 3.1.1 Definition ...... 12 107 3.1.2 Classification ...... 12 108 3.2 Sub Quality Factors ...... 12 109 3.2.1 Performance ...... 12 110 3.2.2 Stability ...... 13 111 3.3 Relationships to other standards ...... 14 1124 Suitability for Standards ...... 15 113 4.1 Definition and Classification ...... 15 114 4.1.1 Definition ...... 15 115 4.1.2 Classification ...... 15 116 4.2 Sub Quality Factors ...... 15 117 4.2.1 Conformability ...... 15 118 4.2.2 Interoperability ...... 15 119 4.3 Relationships to other standards ...... 16 1205 Business Process Quality ...... 17 121 5.1 Definition and Classification ...... 17 122 5.1.1 Definition ...... 17 123 5.1.2 Classification ...... 17 124 5.2 Sub Quality Factors ...... 17 125 5.2.1 Reliable Messaging ...... 17 126 5.2.2 Transaction Processing Capability ...... 18 127 5.2.3 Collaborability ...... 18 128 5.3 Relationship to other Standards ...... 19 1296 Manageability Quality ...... 21 130 6.1 Definition and Classification ...... 21 131 6.1.1 Definition ...... 21

10wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 11Copyright © OASIS Open 2007. All Rights Reserved. Page 4 of 35 132 6.1.2 Classification ...... 21 133 6.2 Sub Quality Factors ...... 21 134 6.2.1 Management Information Offerability ...... 21 135 6.2.2 Observability ...... 22 136 6.2.3 Controllability ...... 22 137 6.3 Relationship to other Standards ...... 22 1387 Security Quality ...... 24 139 7.1 Definition and Classification ...... 24 140 7.1.1 Definition ...... 24 141 7.1.2 Classification ...... 24 142 7.2 Sub Quality Factor ...... 24 143 7.2.1 Confidentiality ...... 24 144 7.2.2 Integrity ...... 24 145 7.2.3 Authentication ...... 25 146 7.2.4 Access Control ...... 25 147 7.2.5 Non-Repudiation ...... 25 148 7.2.6 Availability ...... 25 149 7.2.7 Traceability ...... 26 150 7.2.8 Privacy ...... 26 151 7.2.9 Distributed Authorization ...... 26 152 7.3 Relationship to other Standards ...... 26 1538 Appendix ...... 28 154A. Acknowledgements ...... 31 155B. Non-Normative Text ...... 32 156C. Revision History ...... 33 1571 Introduction ...... 6 158 1.1 What is Web Service Quality Factors? ...... 6 159 1.2 Terminology ...... 7 160 1.3 Normative References ...... 8 1612 Business Value Quality ...... 9 162 2.1 Definition and Classification ...... 9 163 2.1.1 Definition ...... 9 164 2.1.2 Classification ...... 9 165 2.2 Sub Quality Factors ...... 9 166 2.2.1 Service Cost ...... 9 167 2.2.2 Service Suitability ...... 10 168 2.2.3 Service Aftereffect ...... 10 169 2.2.4 Service Brand Value ...... 10 170 2.3 Relationships to Other Standards ...... 11 1713 Service Level Measurement Quality ...... 12 172 3.1 Definition and Classification ...... 12 173 3.1.1 Definition ...... 12 174 3.1.2 Classification ...... 12 175 3.2 Sub Quality Factors ...... 12 176 3.2.1 Performance ...... 12 13wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 14Copyright © OASIS Open 2007. All Rights Reserved. Page 5 of 35 177 3.2.2 Stability ...... 13 178 3.3 Relationships to other standards ...... 14 1794 Suitability for Standards ...... 15 180 4.1 Definition and Classification ...... 15 181 4.1.1 Definition ...... 15 182 4.1.2 Classification ...... 15 183 4.2 Sub Quality Factors ...... 15 184 4.2.1 Conformability ...... 15 185 4.2.2 Interoperability ...... 15 186 4.3 Relationships to other standards ...... 16 1875 Business Process Quality ...... 17 188 5.1 Definition and Classification ...... 17 189 5.1.1 Definition ...... 17 190 5.1.2 Classification ...... 17 191 5.2 Sub Quality Factors ...... 17 192 5.2.1 Reliable Messaging ...... 17 193 5.2.2 Transaction Processing Capability ...... 18 194 5.2.3 Collaborability ...... 18 195 5.3 Relationship to other Standards ...... 19 1966 Manageability Quality ...... 21 197 6.1 Definition and Classification ...... 21 198 6.1.1 Definition ...... 21 199 6.1.2 Classification ...... 21 200 6.2 Sub Quality Factors ...... 21 201 6.2.1 Management Information offerability ...... 21 202 6.2.2 Observability ...... 22 203 6.2.3 Controllability ...... 22 204 6.3 Relationship to other Standards ...... 22 2057 Security Quality ...... 24 206 7.1 Definition and Classification ...... 24 207 7.1.1 Definition ...... 24 208 7.1.2 Classification ...... 24 209 7.2 Sub Quality Factor ...... 24 210 7.2.1 Confidentiality ...... 24 211 7.2.2 Integrity ...... 24 212 7.2.3 Authentication ...... 25 213 7.2.4 Access Control ...... 25 214 7.2.5 Non-Repudiation ...... 25 215 7.2.6 Availability ...... 25 216 7.2.7 Traceability ...... 26 217 7.2.8 Privacy ...... 26 218 7.2.9 Distributed Authorization ...... 26 219 7.3 Relationship to other Standards ...... 26 2208 Appendix ...... 28 221A. Acknowledgements ...... 31 16wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 17Copyright © OASIS Open 2007. All Rights Reserved. Page 6 of 35 222B. Non-Normative Text ...... 32 223C. Revision History ...... 33 224

19wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 20Copyright © OASIS Open 2007. All Rights Reserved. Page 7 of 35 2251 Introduction 226 Different from exiting software, Web Services as a service are used remotely if needed so it is 227fundamentally considered to be loosely coupled with application. The service oriented characteristic 228requires a new software paradigm which converts the way of installation software to distributed service. 229Furthermore, in order to unify automated service which is not tied with variety applications, Web Services 230uses defined XML based standard protocol when extension is needed. According to this, it is a strong 231necessity to set a new definition of quality which fulfils service oriented Web Services characteristics 232based on standard protocol and hence requirements followed by interested party. 233 234 This document defines Web Service quality characteristic in a quantitative or qualitative method, 235excluding the traditional functionality of service. To maximize the best use of Web Services quality, it is 236essential to have a guideline and detailed implementation notation. Therefore, we present five co- 237relations but independent specifications i.e. WS-Quality Model, WS-Quality Factors, WS-Quality 238Description Language, WS-Quality Test Guideline, and WS-Quality Use Case. 239 240 The specifications consist of the following five family specifications; 241  WS-Quality Model (WS-QM) defines a conceptual model for Web Services quality and defines 242 the concept, role and reciprocal action between quality associates, quality activities and quality 243 factors in the lifecycle of Web Services. 244  WS-Quality Factors (WS-QF) defines a set of attributes which is used to represent and 245 evaluate the quality of a web service. 246  WS-Quality Description Language (WS-QDL) provides a basic description method in forms of 247 XML schema standard in order to standardize the expression of Web Service quality which is 248 exchanged between Web Service quality associates 249  WS-Quality Test Guideline (WS-QTG) provides a guideline for process, methods and 250 architecture in order to measure and evaluate the quality level of Web Services 251  WS-Quality Use Case (WS-QUC) provides a number of use cases as best practices that Web 252 Services quality associates could be faced with in the process of developing and using Web 253 Services 254

2551.1 What is Web Service Quality Factors? 256 The Web Services Quality Factors are primarily selected for planning, implementing and evaluating of 257Web Services amongst software quality provided by ISO-9126. They are grouped into architecture, 258operation and business perspective and each quality factors are specified. 259 260 Web Services quality factors refer to groups of items that use for representing and valuing the quality of 261Web services. 262 263 Web Services quality factors can be divided into the system information quality group, service 264measurement quality group and business value quality group in the point of use by consumer. (Please 265refer to

) 266

22wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 23Copyright © OASIS Open 2007. All Rights Reserved. Page 8 of 35 Business Value Business Value Quality Quality Group Suitability Effect Recognition level

Service Measurement Quality Group Service Level Measurement Quality Performance Stability

System Information Quality Group Business Processing Message Reliability Transaction Collaborability

Interoperability Interoperability Security

Conformability InteroperabilityInteroperability Confidentiality IntegrityIntegrity Authentication

Manageability Access Control Non-repudiationrepudiation Accessibility

IntrospectionIntrospection Control Notification Audit trail Privacy 267 Business Value BusinessBusiness ValueValue Value Quality QualityQuality Quality Group Service Cost Service Suitability Service Aftereffect Service Brand Value ServiceSuitability Cost RecognitionEffect level RecognitionRecognition level level

Service Measurement Quality Group ServiceService LevelLevel MeasurementMeasurement QualityQuality PerformancePerformance StabilityStability

System Information Quality Group BusinessBusiness ProcessProcessing Processing Quality Transaction Processing ReliableMessage Messaging Reliability Transaction Collaborability Message Reliability CapabilityTransaction Collaborability

InteroperabilitySuitability for Standards InteroperabilityInteroperability SecuritySecuritySecurity Quality Conformability InteroperabilityInteroperability Conformability InteroperabilityInteroperability ConfidentialityConfidentiality IntegrityIntegrityIntegrity AuthenticationAuthentication

ManageabilityManageability Quality AccessAccess Control Control NonNonrepudiation-Repudiation-Non--repudiationrepudiation AccessibilityAccessibilityAvailability

Management Information Introspection Privacy DistributedPrivacy Authorization OfferabilityIntrospection ControlObservabilityControl NotificationControllabilityNotification TraceabilityAuditAudit trail trail PrivacyPrivacyPrivacy 268 269

Structure of Web Services quality factor 270 271 Business value quality group refers to a group of referenced quality factors that they can be referred as 272for deciding the business value of service when consumer chooses a particular Web Services. Business 273value quality is consisted of service cost, service suitability, service aftereffect and service brand value. 274 25wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 26Copyright © OASIS Open 2007. All Rights Reserved. Page 9 of 35 275 Service measurement quality group refers to a group of measurable quality factors which can be 276measured while consumer uses the Web Services. They are consisted of response time, maximum 277throughput, accessibility and successability. The measurement value of the quality factor in this service 278measurement group can be dynamically varied while service is being used. Service level measurement 279quality is consisted of performance and stability. 280 281 System information quality group refers to a group of qualities which are about the systematic 282functionality of Web Services that they can be recognized and evaluated before consumer uses the 283service. They are consisted of suitability for standards, business process quality, manageability quality 284and security quality. All the factors in this quality group will be determined as soon as the service 285development is completed. Firstly, suitability for standards is consisted of conformability and 286interoperability. Secondly, business process quality is consisted of message reliability, transaction 287processing ability and business process collaboration ability. Thirdly, manageability quality is consisted of 288management information offerability, observability and controllability. Fourthly, security quality is 289consisted of confidentiality, integrity, authentication, access control, non-repudiation, availability, 290traceability, privacy and distributed authorization. 291

2921.2 Terminology 293The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD 294NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described 295in [RFC2119]. 296

2971.3 Normative References 298 [RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, 299 http://www.ietf.org/rfc/rfc2119.txt, IETF RFC 2119, March 1997.

28wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 29Copyright © OASIS Open 2007. All Rights Reserved. Page 10 of 35 3002 Business Value Quality

3012.1 Definition and Classification

3022.1.1 Definition 303 Business Value Quality is a quality factor which can be referred to assess in the consistency degree of 304business purpose. This is either determined by a service provider or evaluated by a consumer which 305assesses the alignment of the business purpose. By considering this quality factor, a consumer can select 306a proper Web Service for generating the business profit in place of using Web Service and also influence 307on evaluating the price of Web Service. 308

3092.1.2 Classification 310 Business Value Quality is classified into Service Cost, Service Suitability, Service Aftereffect, and 311Service Brand Value. Service Cost is representing the whole of payment activities and is determined by a 312service provider, including information on price, penalty/compensation and billing. Service Suitability and 313Service Aftereffect are representing how business value will be brought into the company and will be 314determined via analyzing the gap between expected result and the requirement from a consumer. 315Service Brand Value is representing a collection of reputation and this intangible asset is estimation of 316present or future profit which can be gained only by brand awareness. 317

3182.2 Sub Quality Factors

3192.2.1 Service Cost 320 This sub quality factor describes a level of payment for value generated by using Web services. A 321competitive service cost means same or better service value for a lower price. Service cost is composed 322of Price, Penalty/Compensation, and Billing. 323  Price 324 As a reference based on a size of service, type of service, quality of service, service duration, 325 billing method and policy that can be selected by a consumer, this refers to the price determined by 326 a provider or a broker. A provider determines the price regarding not only consumer/operation 327 perspective but also efficiency of business perspective of using Web services. 328 329  Penalty/Compensation 330 When either the contract is breached by a consumer or the loss of business opportunity occurs 331 caused by unsatisfactory quality from a provider, the penalty is charged to the consumer/provider. 332 Also when business opportunity is lost, the compensation is rewarded to the consumer. 333 334  Billing 335 This refers to a method which estimates the price in regard to timing of service, discount policy, 336 cost, as well as Penalty/Compensation of Web services usage which are all measured by metering 337 (A method that measures usage of Web services used by a consumer according to a type and 338 frequency of contents). 339

31wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 32Copyright © OASIS Open 2007. All Rights Reserved. Page 11 of 35 3402.2.2 Service Suitability 341This refers to a quality attribute that determines whether a particular service is appropriate for business 342operations of a consumer. To evaluate business suitability, evaluation criteria for a business area and the 343importance and necessity of an intended service are needed. Also, it should be evaluated in a consumer’s 344perspective that operates a business. Usability is a factor which indicates how consumer friendly a 345particular Web service is and it is evaluated based on usability and efficiency of the Web services. 346  Business Suitability 347 Business suitability is a quality attribute that determines how a particular Web service is suitable for 348 a specific business need. It is evaluated based on the similarity between business and service 349 hierarchy, compliance with business purpose and service description and finally the degree of 350 consumer’s satisfaction. 351 352  Usability 353 Usability is a quality attribute that evaluates how closely Web services are built on a consumer’s 354 perspective. This includes evaluation criteria such as consumer interface suitability, a user friendly 355 service desk and the accessibility of maintenance system. 356

3572.2.3 Service Aftereffect 358 Service Aftereffect is a quality attribute that quantitatively or qualitatively expresses effects from a 359particular Web service in business. Service Aftereffects can appear on business perspective, profitability 360perspective or consumer perspective. This plays an important role to determine the brand value of Web 361services. 362  Business Effect 363 This refers to an evaluation factor based on how Web services affected business profit, 364 productivity, due date, and process optimization from a consumer’s perspective. The strong 365 influence on business can be explained in two ways. Firstly, a service has a relationship with many 366 businesses, so its coverage is wide. Secondly, a particular service can have a strong impact on a 367 particular business so that the business relies heavily on the service. In the first case, a service that 368 covers a wide area can be classified into shared services depending on the consumer’s demands 369 or surrounding environment. In the second case, it can be managed by measuring the dependency 370 of a particular business’s service. In addition, this can be used as basic data for calculating ROI 371 (Return on Investment), in case of business effects bringing a profit. 372 373  Return On Investment 374 This refers to an attribute that evaluates earnings from investment made by a Web services 375 consumer as financial performance indicators. 376 377  Consumer Satisfaction 378 This refers to an attribute that indicates the consumer satisfaction after Web Services have been 379 used. This can be evaluated by surveying consumers’ opinions through on/off-line surveys when a 380 consumer completes using the Web services. A high consumer satisfaction evaluation can be 381 understood as positive consumer satisfaction regarding the service provided by Web services.

3822.2.4 Service Brand Value 383 Service Brand Value is a collective reputation formed explicitly or implicitly by Web services consumers. 384It is determined by the sum of all Web services quality values. Service Brand Value influences trust on

34wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 35Copyright © OASIS Open 2007. All Rights Reserved. Page 12 of 35 385price or quality of Web services. The brand value is estimated by calculating total revenue and return on 386equity of Web Services. 387  Recognition 388 This refers to quality that indicates how well potential service consumers recognize existence, 389 appliance area and quality of Web services before they use them. The high recognition of potential 390 consumers means high probability of which consumers choose a particular Web services when 391 consumers come to use Web services. The recognition can be assessed by performing statistics 392 research or surveying on/off-line. 393 394  Reputation 395 This refers to the majority of consumers’ opinions on the quality of Web Services. Reputation is 396 evaluated by performing a survey or vote on Service Quality, Consumer satisfaction, and reliability.

3972.3 Relationships to Other Standards 398None.

37wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 38Copyright © OASIS Open 2007. All Rights Reserved. Page 13 of 35 3993 Service Level Measurement Quality

4003.1 Definition and Classification

4013.1.1 Definition

402 Service Level Measurement quality defines quantitative attributes which could be measured while Web 403services are using. For example, as a quality that indicates how quickly Web services responds or how 404reliably Web services can be provided, it refers to a quality which a user can measure on system and 405express numerically.

4063.1.2 Classification

407 Service Level Measurement Quality can be sub-divided into Performance and Stability. Performance 408includes Response Time and Maximum Throughput and Stability includes Availability, Accessibility, and 409Successability.

4103.2 Sub Quality Factors

4113.2.1 Performance

412 Performance is provider’s processing capability of web services in the system perspective. In other 413words, it indicates how fast the request can be processed. This quality is composed of ‘Response time’ in 414the perspective of the processing speed and ‘Throughput’ in the perspective of the processing load.

415  Response Time 416 Response time refers to duration from the time of the Request Message sent from a Web services 417 user to the time of the Response Message returned to the Web services user. As shown in

, this response Time is a sum of three types of latency when requesting Web services. 419 Client Latency refers to time taken for processing Request Message (t1-t2) and Response 420 Message (t7-t8) on the client system. In other words, it is a sum of latency from a call of client 421 application to Request Message actually sent from the client and latency from Received Message 422 received in the client system to application system of the client. 423 Network Latency refers to time taken on a network for transmitting Request Message (t2-t3) and 424 Response Message (t6-t7). In other words, it is a sum of latency from Request Message sent from 425 a client to a Web Services server and latency from Response Message sent from the server to the 426 client. 427 Server Latency refers to a time taken between from Request Message received in the server (t3-t4) 428 to Response Message sent form server (t5-t6). In other words, it is a sum of latency from Request 429 Message sent from a server to the Web Services and latency from Response Message sent from 430 the Web Services to the server.

40wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 41Copyright © OASIS Open 2007. All Rights Reserved. Page 14 of 35 Client Web Application Client Network Server Services t1 t2 t3 t4 Request CL1 NL1 SL1 SL2

Response t8 CL2 t7 NL2 t6 SL3 t5

431 * CL : Client Latency, NL : Network Latency, SL : Server Latency, ti : Measurement Time

432 433

Response Time and Latency 434 435 Response Time and three types of Latency can be calculated by applying the following formula. 436 Client Latency = CL1 + CL2 437 Network Latency = NL1 + NL2 438 Server Latency = SL1 + SL2 + SL3 439 Response Time = Client Latency + Network Latency + Server Latency 440 441  Maximum Throughput 442 Maximum Throughput refers to a maximum number of responses that can be processed in unit 443 time and can be expressed as the following formula. 444 Numberof Pr ocessDuringMeasureTime 445 MaximumThroughput max( ) MeasuredTime

4463.2.2 Stability 447 Stability indicates how Web services can provide services in stable manner. In other words, it represents 448an ability to continue services fault-tolerantly even though processing overload, system malfunction, 449natural disaster and intentional attack from perpetrator. Stability includes Availability, Successability and 450Accessibility. 451 452  Availability 453 It is a measurement which represents the degree of which Web services are available in 454 operational status. This refers to a ratio of time in which Web Services server is up and running. 455 As the DownTime represents the time when Web Services server is not available to use and 456 UpTime represents the time when the server is available, Availability refers to ratio of UpTime to 457 measured time. In order to calculate Availability, it is conveniently rather using DownTime than 458 UpTime and it can be expressed as the following formula. 459 DownTime 460 Availability1 MeasuredTime

43wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 44Copyright © OASIS Open 2007. All Rights Reserved. Page 15 of 35 461  Accessibility 462 Accessibility represents probability of which Web services platform is accessible while the system 463 is available. This is a ratio of receiving Ack message from the platform when requesting services. 464 That is, it is expressed as the ratio of the number of returned Ack message to the number of 465 request messages in a given time. To increase accessibility, a system needs to be built in 466 expansible architecture. 467 Numbverof AckMessage 468 Accessibility Numberof Re questedMessage 469  Successability 470 Successability is a probability of returning responses after Web services are successfully 471 processed. In other words, in a given time, it refers to a ratio of the number of response messages 472 to the number of request messages after successfully processing services. ‘Being successful’ 473 means the case that a response message defined in WSDL is returned. In this time, it is assumed 474 that a request message is an error free message. 475

476 Numberof SucessfulRe sponse 477 Successability Numberof RequestedMessage

4783.3 Relationships to other standards

479 None

46wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 47Copyright © OASIS Open 2007. All Rights Reserved. Page 16 of 35 4804 Suitability for Standards

4814.1 Definition and Classification

4824.1.1 Definition 483 484Suitability for Standards defines the capability of which a Web service is communicable with the other 485Web service on a different system or a platform. Although main Web services technologies are 486standardized, they do not meet the full specification of related standards due to lack of understanding the 487standards. Even when the web service is implemented conformably with the specification, communication 488problems occur possibly due to an incomplete specification or unique features of the platforms. Therefore, 489to improve utilization of Web services, it is necessary to check if services are implemented without being 490vendor-specific or too much developers’ trait in it. 491

4924.1.2 Classification 493Suitability for Standards quality includes evaluating of Conformability and Interoperability of Web services. 494Conformability evaluates how well a Web service conforms standards. Interoperability indicates a level of 495communicating and utilizing information between Web services.

4964.2 Sub Quality Factors

4974.2.1 Conformability

498 Conformability evaluates whether Web services were built in conformable type with the standards. As 499the main specifications of Web services, Message Exchange, Service Definition, Services Registration 500and Service Search, Conformability of Web services can be stated as the followings.

501  Message Exchange Conformability

502 It evaluates a level of conformability of exchanging message between Web services.

503  Service Definition Conformability

504 It evaluates a level of conformability of Web services definition and description.

505  Service Search and Registration Conformability

506 It evaluates a level of conformability of searching and registering common services used by Web 507 services.

5084.2.2 Interoperability

509 Interoperability indicates the degree of which messages are appropriately exchanged and used by using 510specifications. It includes Services Basic Interoperability and Services Security Interoperability. Services

49wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 50Copyright © OASIS Open 2007. All Rights Reserved. Page 17 of 35 511Basic Interoperability verifies whether Web services have a basic communication capability and Services 512Security Interoperability for security among Web services.

513  Services Basic Interoperability

514 It represents a level of interoperability needed to exchange and use information among two or more 515 Web services. This is an attribute to define the criteria for checking Web Services interoperability 516 and evaluate a level of conformability of interoperability profile to register, search and exchange the 517 messages.

518  Services Security Interoperability

519 It represents a level of interoperability of security functions which are defined when exchanging 520 information among two or more Web services.

5214.3 Relationships to other standards 522  WS-I Basic Profile 1.1: This is a profile for interoperability of SOAP, WSDL, UDDI and is 523 administered by WS-I. 524  WS-I Basic Profile 1.2: This is a profile for interoperability of SOAP, WSDL, UDDI and is 525 administered by WS-I. 526  WS-I Basic Security Profile Version 1.0: This is a profile for interoperability of Web ervices 527 security and is administered by WS-I. 528  WS-I Basic Security Profile Version 1.1: This is a profile for interoperability of Web ervices 529 security and is administered by WS-I. 530  WS-I Reliable Secure Profile 1.2: This is a profile for interoperability of reliable message and 531 secured transmission. It is administered by WS-I. (WS-ReliableMessaging 1.1, WS- 532 SecureConversation 1.3) 533  WS-I Simple SOAP Binding Profile Version 1.2: This is a profile for interoperability of SOAP 534 Binding and is administered by WS-I.

52wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 53Copyright © OASIS Open 2007. All Rights Reserved. Page 18 of 35 5355 Business Process Quality

5365.1 Definition and Classification

5375.1.1 Definition 538 Business Process Quality defines performance indicators needed to represent functionality for 539collaboration among two or more Web Services with features such as reliability of message transmission, 540transaction process, and consensus collaboration scheme. By using this factor, a consumer can 541consistently find out optimal collaboration scheme to be achieved reliably and efficiently. 542

5435.1.2 Classification 544 Business Process Quality can be classified into reliable messaging, transaction processing capability 545and collaborability. Firstly, reliable messaging refers to the degree of how reliably messages are 546exchanged among Web Services. Secondly, transaction processing capability refers to whether a Web 547Service has functionality for processing transactions. Thirdly, collaborability refers to a capability of which 548the composited Web services can process business collaboration.

549

5505.2 Sub Quality Factors

5515.2.1 Reliable Messaging 552 Reliable Messaging refers to guaranteeing to exchange messages without any errors as senders or 553receivers intended. In order to guarantee the reliable messaging, the framework to exchange messages 554has to be stable and fault-tolerant. Also message transmitting mechanism has to be in place, considering 555the errors on network. Therefore, to guarantee reliable messaging, four requirements have to be satisfied 556as follows: 557  Transmitting at least once 558 Each message has to be transmitted at least once, otherwise both receiver and sender have to 559 issue an error message. In addition, the sender has to keep retransmitting the message until Ack 560 is received from the receiver. 561  Transmitting at most once 562 Each message has to be transmitted at most once. The receiver has to block the duplicated 563 message. 564  Transmitting precisely once 565 Each message has to be transmitted precisely once, otherwise both receiver and sender have to 566 issue error message. In addition, the sender has to keep retransmitting the message until Ack is 567 received from the receiver. The receiver has to block the duplicated message. 568  Transmitting sequentially 569 Messages in sequence have to be transmitted from where they are created to the receivers who 570 the messages intended to be orderly delivered to. To do this, the sender has to sequentially send 571 the message with message sequence information embedded in the messages. And the receiver 572 would have to be able to rearrange the messages according to sequence information embedded 573 in the messages.

55wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 56Copyright © OASIS Open 2007. All Rights Reserved. Page 19 of 35 5745.2.2 Transaction Processing Capability 575Transaction Processing Capability refers to an ability to process related tasks on process flow as a single 576logical unit. The transaction of Web services can be divided into either Short-Term Transaction or Long- 577Term Transaction. 578 579  Short-Term Transaction 580 This refers is the standard transaction generally understood by most applied to Web services 581 area. It refers to the transaction which The major function of the transaction is to reset to default 582 when a request of the transaction is not processed or a request of a transaction is processed so 583 that all the changes resulting from the transaction are applied. This transaction is also called 584 Atomicity transaction and has to satisfy the following 4 ACID (Atomicity, Consistency, Isolation, 585 and Durability) attributes. 586  Atomicity 587 If a task succeeds, all its results are applied. If it is results a failure, no changes are applied. 588  Consistency 589 After the a task is processed, system data in the target system stays error-free. 590  Isolation 591 The result of a task are task result is not shared with other transactions unless it is successfully 592 completed. 593  Durability 594 Once the a transaction is successfully completed, the its results is should be permanently applied 595 to a system. 596 597  Long-Term Transaction 598 Long-Term Transaction refers a transaction which requires a long processing time or its 599 resources cannot be locked exclusively during processing. It is also called as Business Activity. 600 Because Long-Term Transaction consists of many some Short-Term Transactions or 601 independent Web services, Commit or Roll-back mechanism of Short-Term Transaction cannot 602 be used. Therefore, Long-Term Transaction quality is evaluated by the following criteria, not by 603 ACID attributes. 604  Consistency 605 Long-Term framework should be able to consistently change the status of participating 606 componentssystems. 607  Context Sharing 608 Long-Term framework should be able to share information among participating 609 componentssystems. 610  Compensatory 611 Long-Term Transaction framework has to support an independent and alternative flow to 612 compensate for failed transactions. Because Long-Term Transactions consist of many some 613 Short-Term transactions or independent Web services, an alternate flow of processing is needed 614 without individual processes being reset to default.

6155.2.3 Collaborability 616 Business Process refers to many Web services collaborating for business purposes. Business 617 Process Collaborative Ability refers to an evaluation index to indicate how suitable the collaboration 618 scheme with Web services is to for business processes.

58wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 59Copyright © OASIS Open 2007. All Rights Reserved. Page 20 of 35 619  Orchestration

620

621 Orchestration describes the automated arrangement, coordination, and management of Web 622 services. 623 Orchestration refers to the building and executing of business processes by centrally using existing 624 Web services. Mostly of the time, it is used to define business process services or complex services 625 that use the existing Web services. It is a layered requester/provider model that integrates many 626 business services into a single participant‘s view. 627  Independence 628 A component should use a protocol which is used only in on control or use an original 629 protocol as it was defined. 630  Exception Handling 631 An error or unusual situation should be able to be handled during collaboration. 632  Technology Integration 633 To improve message reliability, security and transaction, it should be able to be integrated 634 into other technology specification. 635 636  Choreography 637 Choreography describes collaboration protocols of cooperating Web Service participants, in 638 which services act as peers, and interactions may be long-lived and stateful. refers to Web services 639 working according to a pre-defined business process. The Business process is not centrally 640 controlled but managed decentralized. it is processed as chosen messages are exchanged by 641 decentralized Web services in each area. It is the Peer-to-Peer collaboration model of exchanging 642 messages amongst related partners as a part of a bigger business transaction with many 643 participants. It uses Choreographt Description Language for Business Process, and the following 644 requirements must be satisfied. 645  Reusability 646 It must be reusable for other components in different environments.This is the likelihood a 647 Web service can be used again to add new functionalities with slight or no modification in 648 different environment. 649  Collaboration ability 650 To describe support the collaboration among numerous independent components, a series of 651 message exchanges must be defined. 652  Meaning 653 The clear description and meaning must be given to all the components. 654  Associability 655 The scheme must be able to be associated to other new schemes. 656  Modularity 657 The scheme must be able to include a component defined in other schemes, using a format 658 like “import”. 659  Information Exchange 660 The components systems must be able to exchange and synchronize a status as well as share 661 information. 662  Transaction Process Ability

61wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 62Copyright © OASIS Open 2007. All Rights Reserved. Page 21 of 35 663 The components systems must be able to process the transaction such as executing a flow and 664 compensation process. 665  Exception Handling 666 An error or unusual situation should be able to be handled during collaboration. 667  Technology Integration 668 It A technology should be able to be integrated into other technologies y specifications in order to 669 improve functionalities of message reliability, security and transaction,

6705.3 Relationship to other Standards 671  OASIS Web Services Reliable Messaging (WSRM) TC 672 WSRM defines a mechanism with standard and interoperability to ensure the message transmission 673 among applications or Web services. WS-Reliability 1.1 is approved as OASIS standard. 674 URL: 675  OASIS Web Services Reliable Exchange (WSRX) TC 676 WSRX propose more improved protocol for exchanging reliable messages among Web services. 677 While WSRM defines only layer independent message exchange mechanism, WSRX define not 678 only message exchange mechanism, and also define fields for various use such as reliable 679 messaging description. 680 URL: 681  OASIS Web Services Composite Application Framework (WS-CAF) TC 682 WS-CAF proposes an open framework for transaction process and control of many Web services. 683 WS-Context 1.0 is approved as OASIS standard. 684 URL: 685  OASIS Web Services Transaction (WS-TX) TC 686 WS-TX defines a protocol to control the result of decentralized applications. It is similar to WS-CAF. 687 It defines a context sharing framework: WS-Coordination, atomic transaction framework: WS- 688 AtomicTransaction, Collaboration framework: WS-BusinessActivity. WS-Coordination, Ws- 689 AtomicTransaction, and WS-BusinessActivity 1.1 is approved as OASIS standard. 690 URL: 691  OASIS Web Services Business Process Execution Language (WSBPEL) TC 692 WSBPEL describes a business process activity using Web services and defines the way they are 693 linked each other. Using Orchestration, business process collaboration is composed. WS-BPEL 2.0 694 is approved as OASIS standard. 695 URL: 696  W3C Web Services Choreography Working Group 697 This is a language to describe XML based Web services collaboration as choreography. It is a 698 standard for decentralized business process. 699 URL:

64wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 65Copyright © OASIS Open 2007. All Rights Reserved. Page 22 of 35 7006 Manageability Quality

7016.1 Definition and Classification

7026.1.1 Definition 703 As Web services proliferates, dependency or utilization of Web services also have increaseds. 704 Therefore, maintaining and managing Web services has grown into an important issue. 705 Manageability Quality refers to an index of ability to consistently manage Web services through a 706 management system by usingwith attributes, features, and interface which are need for quality 707 management of Web servicesimplemented according to Web service management specification. 708 Using this, a user can effectively manage Web services. Manageability includes not only Web 709 services but also includes management of resources which are related to Web services.

7106.1.2 Classification 711 Manageability of Web services can be classified into Management Information Offerability, 712 Observability and Controllability. Management Information Offerability refers to the availability of 713 providing information of Web services’ attributes status from a management perspective which is 714 not changed by environment. Observability refers todescribes the availability of providing 715 information of Web services’ status which is changed due to internal cause. Controllability refers to 716 the availability of providing features to be intentionally changed from resulting from outside.

7176.2 Sub Quality Factors

7186.2.1 Management Information Offerability 719 Management Information Offerability refers to the availability of Web services’ attributes from a 720 management perspective which is not changed by environment. The attribute information is as 721 follows: 722  Identification 723 Identification is the information which guarantees uniqueness of Web services on management 724 perspective or related resources. Using this, a particular managingmanaged object can be identified 725 in the grid distributed environment. And the The similarityies of the two managing objects can be 726 identified. 727  Description 728 Description is the information describing in detail about Web services and its related resources. 729  Manageability Characteristics 730 Manageability Characteristics means the capability of providingis the management information 731 provided byof Web services on the management perspective or its their related resources. Because 732 Web services provides various management features for each characteristic, a more unified 733 management structure can be built if this information is known in advance. 734  Relationship 735 Relationship refers to related information between Web services and its related resources. At the 736 grid environment, Web services has relationships with other Web services. Using this related 737 information, the consistent managementmanagement of Web services becomes possible. 738  Management Level

67wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 68Copyright © OASIS Open 2007. All Rights Reserved. Page 23 of 35 739 Management Level is the level of manageability feature provided by Web services. Manageable 740 Level is the level of Web services that can only be managed from the outside by management 741 features. Manageable Level is the level of Web services that is already being managed by an 742 independent manager, by using management features. The current level of management of Web 743 services can be learned from this information.

7446.2.2 Observability 745 Observability is the feature to provide the management information of Web services and its related 746 resource. The management information is classified into State, Operational Status, and Metric 747 Information. They are provided to outside as Request & Response and Publish & Subscribe. 748  State 749 State is the status of Web services and its related resources. The type of State can be different for 750 each Web services. 751  Operational Status 752 Operational Status is whether Web services and its related resources work or not. 753  Metric Information 754 Metric Information is the inside information of Web services and its related resources which has 755 been measured for a period of time. The characteristic of Metric Information is that it constantly 756 changes as time goes. The management information of a Web service and its related resources can 757 be learned with this. 758  Message Exchange Pattern 759 Message Exchange Pattern is a way in which provides the information like State, Operational 760 Status, and Metric Information are provided to outside. There are Request & Response for the 761 outside requests and Publish & Subscribe for notifying as configured by outside when the 762 information changes or for a certain period.

7636.2.3 Controllability 764 Controllability is the feature which can changes the inside internal information of Web services and 765 its related resources from outside. The inside internal information mentioned above includes not 766 only the operation state but also includes the attributes that can affect the operation state. 767  Control 768 Control is the availability of operation to directly control Web Services and its related resources or 769 Operational Status. The control operation includes start, pause, and exit of Web services. 770  Configuration 771 Configuration is the availability of features to change the attribute values that can affect the 772 operation state of Web services and its related resources. Configuration has the changeable 773 attributes such as the connection pool of Web services, log level, and the number of connection 774 session.

7756.3 Relationship to other Standards 776  W3C Web Services Architecture Working Group 777 It defines the structure of Web services including the state model of Web services and the structure 778 for management. The standardization was completed on January, 2004. It is consists of Web 779 Services Architecture for defining Web services structure, Web Services Usage Scenarios, and Web 780 Services Management: Services Life Cycle for defining the state model of Web services. 781 URL: 782  OASIS Web Services Notification (WSN) TC

70wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 71Copyright © OASIS Open 2007. All Rights Reserved. Page 24 of 35 783 WSN is the standard to define the mechanism of asynchronous message exchange using an event. 784 It was completed on October, 2006. It is consists of WS-BaseNotification to define the message 785 exchange mechanism of basic event method, WS-BrokeredNotification to define the asynchronous 786 message exchange mechanism using the broker like MOM, and WS-Topics for exchanging the 787 event information. 788 URL: 789  OASIS Web Services Resource Framework (WSRF) TC 790 WSRF proposes the common framework for managing various resources that exists on networks. It 791 was completed on April, 2006. It is consists of WS-Resource to define resources, WS- 792 ResourceProperties to define exchange method of the resources, WS-ResourceLifetime to define 793 lifecycle of the resources, WS-ServiceGroup for define the way for managing the numerous 794 resources as a group, and WS-BaseFaults to define basic fault that can occur during the attributes 795 management process. 796 797 Although WS-Resource MetadataDescriptor is not approved as a standard, it is very important for 798 managing Web services and it is being used in TC such as WSDM. 799 URL: 800  OASIS Web Services Distributes Management (WSDM) TC 801 WSDM proposes the framework for managing various resources on networks. It consists of MUWS 802 (Management Using Web Services) and MOWS (Management of Web Services). 803 URL:

73wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 74Copyright © OASIS Open 2007. All Rights Reserved. Page 25 of 35 8047 Security Quality

8057.1 Definition and Classification

8067.1.1 Definition 807Security Quality is the quality degree of ability that can provide stable and reliable services by protecting 808the services and messages from unauthorized access, forgery, and destruction when Web services is 809provided and used.

8107.1.2 Classification 811The quality factors of Web services environment consist of Confidentiality, Integrity, Authentication, 812Access Control, Non-Repudiation, Availability, Audit, and Privacy. These quality factors should be 813considered on two levels. 814  Transport Level Security 815 Transport Level Security is a sub transport layer security of Web services protocol, SOAP. It is a 816 method using the security mechanism such as SSL, TLS, IPSec that has has been used on HTTP 817 protocol base of the existing web environment. Transport Level Security uses Point-To-Point model 818 and provides only the information of entire object (service/message) unit. In other words, because 819 limited encryption and limited digital signature are not supported and Non-Persistent Level security 820 is provided when transmitting Multi-hop, Message Level Security must be used to overcome these 821 limitations. 822  Message Level Security 823 Message Level Security is a method which provides the security service using XML based SOAP 824 message to provide Confidentiality, Integrity, Access Control of SOAP message. Message Level 825 Security uses End-To-End security model, thus it provides Persistent Level Security which contains 826 the context information even when SOAP message travels through many brokers.

8277.2 Sub Quality Factor

8287.2.1 Confidentiality 829Confidentiality is to prevent unauthorized users from viewing or accessing the services/message. It uses 830the access control and encryption to maintain confidentiality. 831  Transport Level Data Confidentiality 832 Transport Level Data Confidentiality is the encryption of entire messages, using the encryption 833 features provided by TLS or IPSec protocol to ensure confidentiality of data when sending and 834 receiving the data between the transport channels. 835  Message Level Data Confidentiality 836To ensure Confidentiality of SOAP message, Message Level Data Confidentiality is provided by the 837encryption process (e.g. S/MIME, PGP MIME) for the attachment or using XML-Encryption and WS- 838Security. Especially, XML-Encryption can encrypt the part of the message, thus Confidentiality of the 839service on transport level can be improved.

8407.2.2 Integrity 841Integrity is to protect from unauthorized service/message modify, delete and create. It uses access control 842and briefing message.

76wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 77Copyright © OASIS Open 2007. All Rights Reserved. Page 26 of 35 843 844  Transport Level Data Integrity 845 Transport Level Data Integrity is a feature such as the packet comparison and digest provided by 846 IPSEC or TLS to provide the data integrity when sending and receiving data between transport 847 channels. 848  Message Level Data Integrity 849 Message Level Data Integrity is for the data integrity of SOAP message level. It can be guaranteed 850 by XML-Signature or WS-Security. Also, XKMS to manage the digital signature for the data integrity 851 can be used.

8527.2.3 Authentication 853Authentication is to verify an object that can be trusted for the transmission. It uses ID/PW, certificate, and 854SSL. 855  Transport Level User Authentication 856 Authentication on the transport channel of message transport layer can be bi-directional. For 857 example, Secure Network protocol, TSL [RFC2246] or IPSEC [RFC2402] provide uses the method 858 to authenticate a destination under TCP/IP environment. It can be built using the digital signature. 859 The authentication document can be used through public/private certificate institution. 860  Message Level Data Authentication 861 Message Level Data Authentication verifies the user authentication using XML digital signature 862 standard of W3C on SOAP Header, Body, and its payload. Unlike the existing digital signature, the 863 XML digital signature can selectively execute on a particular part of the XML document. When using 864 the digital signature, Authentication, Data Integrity, and Non-Repudiation of the security services 865 can be provided. For user authentication, XML-Signature and SAML mentioned above can be used 866 and XKMS should be applied for managing the digital signature key.

8677.2.4 Access Control 868Access Control is the control over access on service/message for each actor’s right. It is used to support 869Confidentiality and Integrity. It uses various policy, Access control model, and security level as means of 870support of Access Control. 871  Transport Level Access Control 872 Transport Level Access Control is for the access control on the resources of users of transport 873 channel. It is built using TLS or IPSEC protocol. 874  Message Level Access Control 875 Message Level Access Control is to execute Access Control over the resources using the 876 information enclosed in SOAP message. It is built using SAML and XACML. In fact, it can be 877 encapsulated with the access right defined as XACML in SAML, and then can be sent. Using this, 878 the access right over the actual resources is controlled.

8797.2.5 Non-Repudiation 880Non-Repudiation is to prevent receiver and sender from denying that they send and receive the 881messages. It uses the digital-signature. 882  Message Level Non-Repudiation 883 For Non-Repudiation, it can be built using XML-Signature and WS-Security. XKMS is used to 884 manage the digital signature for Non-Repudiation on the transport level.

79wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 80Copyright © OASIS Open 2007. All Rights Reserved. Page 27 of 35 8857.2.6 Availability 886Availability is to allow only authorized personnel access the service/message and to protect the service 887from unauthorized access attempt. It uses services access block/control/detect. 888  Transport Level Availability 889 Transport Level Availability is to prevent DOS (Denial of Services) from attacking the resources so 890 that the resources become unavailable. It is built by surveilling surveilling the packets from Firewall, 891 IDS, IPS on the transport level. 892  Message Level Availability 893 Message Level Availability is to respond to XML DOS on XML messages. It is to provide the 894 availability of Web services. It is built by filtering the message on the application level using SOAP 895 and firewall.

8967.2.7 Traceability 897Audit Traceability is the capability to log activities of unauthorized access and events between Web 898services offer and use. It is used as the information against security vulnerability or security attacks during 899security audit. 900  Transport Level Audit 901 Transport Level Audit is to audit the send/receive log when creating or deleting the session at the 902 transport level. It is necessary to pre-define the content which is being audited for logging policy. 903  Message Level Audit Trace 904 Message Level Audit Trace leaves the log of request/response message and audits

9057.2.8 Privacy 906Privacy is the protection of information between Web services user and provider. It uses the related 907policies. 908  To protect Privacy of use, there are standards such as WS-Security, XACML, and SAML for 909 data confidentiality and Access Control. There are WS-SecurityPolicy, WS-Trust, WS-Privacy 910 for the description of Web services security roadmap to deliver and reflect the privacy policy. If 911 the policy of privacy is described on WS-Policy under WS-Security scheme, using WS-Privacy, 912 the service is executed after confirming the policy described by WS-Trust of the service that 913 receives the messages.

9147.2.9 Distributed Authorization 915Distributed Authorization is the security feature required to use many Web services of various platforms 916with a single login. SSO securityDistributed Authorization can be executed through the security token 917issued by a trusted institution. It can useuses the specifications such as SAML, MS Passport, Liberty 918Alliance.

9197.3 Relationship to other Standards 920  W3C XML Signature: XML digital signature standard 921 URL: 922  W3C XML Encryption: XML encryption standard 923 URL: 924  W3C XKMS (XML Key Management Specification): Key management service standard which 925 makes the integration between PKI and XML application easy. 926 URL:

82wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 83Copyright © OASIS Open 2007. All Rights Reserved. Page 28 of 35 927  OASIS WS-Security (Web Services Security: SOAP Message Security): The standard to 928 provide the authentication, integrity, non-repudiation, and confidentiality of SOAP. 929 URL: 930  MS, VeriSign, IBM WS-SecurityPolicy (Web Services Policy): The standard to provide the 931 security policy applied on WS-Security. 932 URL: 933  OASIS SAML (Security Assertion Markup Language): The standard to reliably exchange the 934 authentication and approval information based on XML. 935 URL: 936  OASIS XACML (eXtensible Access Control Markup Language): The access control standard 937 that consists of XML based policy language and access control decide, request/response 938 language. 939 URL: 940  MS, VeriSign, BEA, IBM WS-Trust (Web Services Trust Language): The standard about issuing 941 and exchange the security token and configuring trust relationship in various trust domains. 942 URL: 943  MS, VeriSign, BEA, IBM WS-Federation (Web Services Federation Language): The mechanism 944 definition to intervene user identification, attributes, and authentication among Web services 945 applications what belong to different security domains. 946 URL:

85wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 86Copyright © OASIS Open 2007. All Rights Reserved. Page 29 of 35 9478 Appendix 948Security technology and security Profile 949 9501. The mapping of Security Factors and its related technology 951 952

shows the relationship among Web services and the existing security technology to satisfy 953the security features for each security factors. To satisfy the security factors, the technologies shown 954below must be applied. 955 Security Factor The Related Technologies Transport Level Data Confidentiality TLS, SSL, IPSec Transport Level Data Integrity TLS, SSL, IPSec Transport Level User Authentication TLS, SSL, IPSec Transport Level User Access Control TLS, SSL, IPSec Transport Level Accessibility Firewall, IDS, IPS Transport Level Audit Trace Logging, Audit & Log Policy Message Level Data Confidentiality XML-Encryption, WS-Security, XKMS Message Level Data Integrity XML-Signature, WS-Security, XKMS Message Level User Authentication XML-Signature, WS-Security, XKMS, SAML Message Level Non-Repudiation XML-Signature, WS-Security, XKMS Message Level Audit Trace Logging, Audit & Log Policy Message Level Access Control SAML, XACML Message Level Accessibility SOAP Firewall Single Sign on SAML, Liberty Alliance, .NET Passport, WS-Federation Message Level Privacy WS-Policy, WS-Trust, WS-Privacy

956

The related technologies for each Web services security factors. 957 9582. Security Profile 959 960In case of Web services security, the several sub quality factors can be used together by the 961characteristics of the services. This standard defines the group of sub quality factors being used together 962as Web services security profile (WS-SProfile). This profile is used to configure the security level with 963Web services partners and it is described in BLA (Business Level Agreement). When considering the 964number of the security sub quality factor, Web services security profile can be defined in various ways. 965This standard defines only 4 profiles that is predicted to be used most at this point. This can be improved 966later.

88wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 89Copyright © OASIS Open 2007. All Rights Reserved. Page 30 of 35 967 968  WS-SProfile 0 969 Using the transport level security mechanism, the authentication, message Integrity, message 970 confidentiality access control services are provided. The accessibility is guaranteed by stopping 971 DOS attack on the transport level. 972 973 TLS and IPSec are the protocols suitable for WS-SProfile 0. TLS provides the user authenticate, 974 message integrity, confidentiality and access control by supporting the record protocol, handshake 975 protocol, public key based create/process, and authentication mode between two communication 976 applications. IPSec is the open framework to provide the security protocol based on IP layer for the 977 reliable communication between each end. It provides the security features to fix the vulnerability 978 within IP. Authentication Protocol (AH), Encryption protocol (ESP), and Security alliance/support 979 Database (SAD, SPD) and Key management mechanism are man security features of IPSec. Using 980 this, Authentication, message integrity, message confidentiality, and access control services are 981 provided. 982 983  WS-SProfile 1 984 WS-SProfile 1 provides Authentication, message integrity, Non-repudiation, and confidentiality by 985 implementing the digital signature and encryption on the message level. In some cases, the security 986 mechanism such as message integrity and access control that are provided on the transport level 987 can be used but it not mandated. 988 989 The main security standard, WS-Security of WS-SProfile1 is the major message security technology 990 which is the core of Web services security by extending the authentication, integrity, non- 991 repudiation, confidentiality that are based on SOAP. In 2004, it became a standard in OASIS. 992 993 WS-SProfile 1 supports various security tokens to exchange the information and extend XML digital 994 signature and XML password. To prevent Replay Attack, it supports Time-stamp related features. In 995 addition, it provides actual authentication, message integrity, non-repudiation and confidentiality on 996 the message level by including safe End-to-End transmission of SOAP message which is delivered 997 via several brokers. 998 999  WS-SProfile 2 1000 Using the access control mechanism on the message level, it provides Access Control services. To 1001 ensure Accessibility, it uses SOAP Firewall against XML DOS attack. It includes Ws-SProfile 1. 1002 1003 SOAP Firewall differs from the existing firewalls. It is the firewall that filters SOAP message and 1004 provides the access control based on the filtering. Therefore, SOAP Firewall must be able to receive 1005 the SOAP message and decrypt it as it is being delivered to a destination URL. 1006 1007  WS-SProfile 3 1008 WS-SProfile 3 includes the security components of WS-SProfile 2 and it provides Single Sign-On 1009 mechanism using the security token. 1010 1011 The mechanism which can provide Single Sign-On is the security information exchange technology 1012 that exchanges user authentication, approval and attribute information. SAML, Liberty Alliance, .Net 1013 Passport, WS-Federation are the key technologies of the security information exchange technology. 1014 SAML and Liberty Alliances are working on the authentication information exchange technology

91wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 92Copyright © OASIS Open 2007. All Rights Reserved. Page 31 of 35 1015 called Assertion based on XML. .Net Passport provides the Single Sign-On feature through the 1016 centralized authentication. WS-Federation provides Single Sign-On by managing Federated ID with 1017 ID (Identity) linked. 1018  WS-SProfile 4 1019 WS-SProfile 4 includes the security components of WS-SProfile 3 and it provides a personal privacy 1020 protection mechanism. 1021 1022 WS-Privacy is the major description of the personal privacy protection mechanism. It describes a 1023 description model for the privacy execution statements of the services provider a consumer. In 1024 addition, WS-Privacy can be a foundation for building a stable Web services that can interact 1025 between new partners with WS-SecurityPolicy and WS-Trust that are based on WS-Security. For 1026 your information, WS-Policy is Web services policy technology to express and deliver the policies of 1027 security, trust, transaction, and privacy. WS-Trust is a model to provide the interface for examining 1028 issue/exchange/validity of the security token of security token services. 1029 1030

below shows the security component relationship within the security quality profile of 1031 Web services. (Op) means optional. 1032 Security Factor SP 0 SP 1 SP 2 SP 3 SP 4 Transport Level Data Confidentiality (Op) (Op) (Op) (Op) Transport Level Data Integrity (Op) (Op) (Op) (Op) Transport Level User Authentication (Op) (Op) (Op) (Op) Transport Level User Access Control (Op) (Op) (Op) (Op) Transport Level Accessibility (Op) (Op) (Op) (Op) Transport Level Audit Trace (Op) (Op) (Op) (Op) Message Level Data Confidentiality Message Level Data Integrity Message Level User Authentication Message Level Non-Repudiation Message Level Audit Trace Message Level Access Control Message Level Accessibility Single Sign on Message Level Privacy

1033

the security component relationship within the security quality profile of Web services. 1034

94wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 95Copyright © OASIS Open 2007. All Rights Reserved. Page 32 of 35 1035A. Acknowledgements

1036The following individuals have participated in the creation of this specification and are gratefully 1037acknowledged: 1038Participants: 1039 [Participant Name, Affiliation | Individual Member] 1040 [Participant Name, Affiliation | Individual Member] 1041

97wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 98Copyright © OASIS Open 2007. All Rights Reserved. Page 33 of 35 1042B. Non-Normative Text

100wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 101Copyright © OASIS Open 2007. All Rights Reserved. Page 34 of 35 1043C. Revision History

1044[optional; should not be included in OASIS Standards] 1045 Revision Date Editor Changes Made [Rev number] [Rev Date] [Modified By] [Summary of Changes]

1046 1047

103wsqm-ws_quality_factor-cd-v1.0-r04 28 December31 October 2007 104Copyright © OASIS Open 2007. All Rights Reserved. Page 35 of 35

Recommended publications