OVF and SOA

I was perusing the Open Virtual Machine Format Specification and I was a bit surprised to see that they reference SOA in the third paragraph of the executive summary of the OVF Whitepaper.

"Whereas current virtual appliances contain a single VM only, modern enterprise applications model service oriented architectures (SOA) with multiple tiers..."

One of the benefits of OVF is that it can represent and package multiple virtual machines in a single package, which is great for modern, multi-tier distributed applications. If enough vendors jump on board this might help simplify what I see as one of the great barriers to SOA adoption: The huge crowded and confused market of non-interoperable SOA products from large vendors (including open-source). My favorite example of this is the proliferation of SOA suites. For example Sun JCAPS requires 13 components for installation. Is this all necessary?

Anyhow, one other thing I noticed about OVF is that it doesn't use W3C XML Digital Signature for its integrity checking scheme, but instead packages the signature and public key in a file in Base-64 encoded format (as a side note, I hope the reference to SHA1 on line 264 is a typo, it should really be a signature algorithm, e.g. RSA-SHA1), otherwise they'll have a tough time verifying it. I don't think this is necessarily a bad thing to not use W3C XML Digital Signature, but it does seem a bit inconsistent given that OVF is an XML-based specification.

Perhaps they are worried about the notorious poor performance for XML Signature processing on standard (un-accelerated) software offerings? Even in this case, if OVF went with XML Signature, the performance impact should still be minimal because the signature is over a list of 20 byte hashes, not an entire virtual machine instance, and even if it were, it wouldn't be an XML representation so there should be no canonicalization applied to it. In fact, XML Signature can replace the .mf, .ovf, AND .cert files. XML Signature already models the signature targets as a list of hashes and has a mechanism for including an X.509 certificate. Again, simplicity rules - why use three non-standard files when you can use 1 file that is an approved W3C standard?

As a side note, Intel's SOA Expressway Product solves the performance issues with XML Security processing with special Intel Multi-Core optimized software that is simply ideal for this type of virtual appliance model. I think OVF and software appliances might be a real boon to solving the SOA complexity problem.

Blake

Posted by Blake Dournaee on 11:01 AM

2 comments:

digital signature Microsoft said...

You are right that One of the benefits of OVF is that it can represent and package multiple virtual machines in a single package, which is great for modern, multi-tier distributed applications and that it doesn't use W3C XML Digital Signature for its integrity checking scheme.Good work keep it up.

Jeannine said...

This cannot work in fact, that is what I consider.

Followers

About Me

My photo
I have been working in the XML/SOA and security space for about 10 years. I currently work at Intel Corporation in their software group. I wrote the first book on XML Security and am a co-author of SOA Demystified from Intel Press. My interests are an eclectic mix of computing, security, business, technology and philosophy