Q

Are there other projects for Web services security in the works beside WS-Security?

Are there other projects for Web services security in the works beside WS-Security?
There is quite a bit of activity beyond WS-Security. Two Web services security specifications that have been recently released (version 1.0 with work continuing on their next version) are:
  • SAML: defines authentication, attribute and authorization assertions and is used as one of the tokens in WS-Security. It also has additional profiles, which define how to use it with HTTP and Browsers.
  • XACML: an XML based protocol for authorization. This defines a way to define access control down to the element level in an XML document. It is extensible by means of XSLT to other security protocols. One transform in the specification can the used to integrate XACML with SAML authorization assertions.
In April of last year IBM and Microsoft released a roadmap for Web security Specifications, which you can find at the IBM or Microsoft web site. This roadmap lists a hierarchy of protocols to support Web services security of which WS-Security is the base. Work is ongoing on these specifications and it is anticipated that they will be sent to one of the standards consortium for independent release as a standard in due course. Three of the protocols on which some initial work has been completed, are: (I'm using the descriptions from the Roadmap.)
  • WS-Policy: will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms, privacy rules).
  • WS-Trust: will describe a framework for trust models that enables Web services to securely interoperate.
  • WS-Privacy: will describe a model for how Web services and requesters state subject privacy preferences and organizational privacy practice statements.
Another three protocols from the same roadmap, which are somewhat further out, are:
  • WS-SecureConversation: will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys.
  • WS-Federation: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities.
  • WS-Authorization: will describe how to manage authorization data and authorization policies.
These higher-level protocols will be needed as Web services extends to more complex scenarios and general interaction over the Internet.
This was first published in July 2003

Dig deeper on WS-Security (Web services security standards)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSoftwareQuality

SearchCloudApplications

SearchAWS

TheServerSide

SearchWinDevelopment

Close