Talk:SOA security

Indeed, this does sound like advertising. Moreover it conceals (or trivializes) the problem. SOA has widely been attacked for trading fancy scenarios for security. In fact one of the sources of the problem is that the protocols mentioned in the text (e.g. SAML) were primarily designed for interactions between an Identity Provider, the user's browser and a service provider. Federation via a middle man (SOA orchestration) seems too much of a security challenge. I have done some research to this end for a large company and would consider clearing up this article so it is more realistic. Someone could join me to help (or discuss). In my (I believe unbiased) opinion, the mere existence of protocols (SAML, WS-Trust, etc) do not seem to even hint an acceptable SOA security solution. The user needs guarantees of non-repudiation between his trusted client (e.g. a browser) and the service provider, with service orchestration in between! This is brokering trust my friends; and a paradise for hackers!

Willing to help
I'm currently working on a master thesis concerning SOA Security. However, some discussion will be necessary to prevent this article from being "too scientific". Are there more people willing to help? Jamiefiere 14:12, 30 May 2007 (UTC)