The lack of intrinsic and user control in the identity management of today Internet security hampers the research in the area of Semantic Web and service-oriented architectures. Semantic Web research is seeking to develop expert Web services that are a composition of specialized Web services of multiorganizations. To unleash these emergent Web services, we propose an open security framework that is based on the concept of personal identity management. Despite the resistance from today’s Internet security dominated by domain-centric identity management, we believe that when all the alternatives are exhausted, the industry will come to the conclusion that the concept of personal identity management is the only approach to provide true user-centric identity management and give users control over the management of their identities.
The service-oriented architecture (SOA) framework features reusability, loose coupling, abstraction, and discoverability. These features are essential for model driven engineering and providing a strong foundation for Semantic Web services; it is a design philology that pushes the boundaries of traditional design to offer highly qualified Web services. Services have the intelligence to trigger a chain of events and to collaborate with other services. In the SOA paradigm, a Web service can be a composition of multiple services located across multiple networks and can have different security settings and authentication requirements. Some services are composed dynamically on the fly, based on the availability and the accessibility of services within the composition framework (Cotroneo, Graziano, & Russo, 2004). Moreover, services can use different authentication systems that require user identities other than the one who invokes the composite service. Consider a company providing a risk assessment service to companies in the transportation business. To assess the risk, this expert service needs to have driving and health records of the employees and vehicle maintenance reports, accident reports, and so forth from a number of outsourcing companies. The risk service needs to collaborate with many services, and the access to these services may require different sets of user credentials. However, current Internet security infrastructure cannot support such context rich Web services. Currently, there is no mechanism for a risk assessment service to access employees’ personal information. The employees must retrieve their records from the healthcare and driver license services and make the records available to the risk assessment service. Outsourcing companies must do the same for their accident and maintenance reports. The procedure is costly, and at best, companies can conduct their risk assessment once a year. This short scenario demonstrates the need for a new design of the Internet security framework that is capable of allowing services to collaborate with each other while strengthening the protection of privacy. The risk assessment service is a type of services that the future Internet users expect from the Internet technology and is a typical expert service that can improve the quality of Web services.
Traditional Internet security is designed for standalone systems. Over the recent years, the growing number of online services has changed the requirements of Internet security and forced the industry to develop new security infrastructures to respond to this challenge. In the context of a federation, single sign-on (SSO) was developed to allow users access multiple services using a single login. However, the SSO framework relies on user interaction to perform the authentication and user vigilant to make sure that the Web sites they access and the authenticating sites are legitimated. Unlike Web applications, Web services act on behalf of a user. The SOA must layout the whole security framework and ensure that all services are secured, and security policies must be in place to allow services to collaborate safely with each other. Since access to the services within a composition requires different sets of credentials, a SOA-security must be able to obtain user consent dynamically during the runtime.