A joint announcement from Microsoft, IBM, and VeriSign describes the (re-) publication of a Web services security specification "to help organizations build secure, broadly interoperable Web services applications. The three companies jointly developed the new specification, known as WS-Security, and plan to submit it to a standards body. WS-Security defines a standard set of Simple Object Access Protocol (SOAP) extensions, or message headers, that can be used to implement integrity and confidentiality in Web services applications." The WS-Security specification is positioned as "the foundation for a broader road map and additional set of proposed Web services security capabilities outlined by IBM and Microsoft to tackle the growing need for consistent support of more secure Web services. The proposed road map is documented in Security in a Web Services World, which outlines additional Web services security specifications the companies plan to develop along with key customers, industry partners, and standards organizations." The other specifications include WS-Policy, WS-Trust, WS-Privacy, WS-Secure Conversation, WS-Federation, and WS-Authorization. The modular approach outlined in the proposal is said to be "necessary for Web services security because of the variety of systems that make up today's IT environments; as the use of Web services increases among collaborating organizations using different security approaches, the proposed security and trust model provides a flexible framework in which organizations can interconnect in a trusted way."
From the WS-Security Brief: "WS-Security describes enhancements to SOAP messaging to provide quality of protection through message integrity, message confidentiality, and single message authentication. These mechanisms can be used to accommodate a wide variety of security models and encryption technologies. WS-Security also provides a general-purpose mechanism for associating security tokens with messages. However, no specific type of security token is required by WS-Security. It is designed to be extensible (that is, support multiple security token formats). For example, a client might provide proof of identity and proof that they have a particular business certification. Additionally, WS-Security describes how to encode binary security tokens. Specifically, the specification describes how to encode X.509 certificates and Kerberos tickets as well as how to include opaque encrypted keys. It also includes extensibility mechanisms that can be used to further describe the characteristics of the credentials that are included with a message."
WS Specifications:
Initial Specifications
- WS-Security: describes how to attach signature and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages.
- WS-Policy: will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g., required security tokens, supported encryption algorithms, privacy rules).
- WS-Trust: will describe a framework for trust models that enables Web services to securely interoperate.
- WS-Privacy: will describe a model for how Web services and requesters state privacy preferences and organizational privacy practice statements.
Follow-On Specifications
- WS-SecureConversation: will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys.
- WS-Federation: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities.
- WS-Authorization: will describe how to manage authorization data and authorization policies.
From the Roadmap: The document "defines a comprehensive Web service security model that supports, integrates and unifies several popular security models, mechanisms, and technologies (including both symmetric and public key technologies) in a way that enables a variety of systems to securely interoperate in a platform- and language-neutral manner... In this document we present a broad set of specifications that cover security technologies including authentication, authorization, privacy, trust, integrity, confidentiality, secure communications channels, federation, delegation and auditing across a wide spectrum of application and business topologies. These specifications provide a framework that is extensible, flexible, and maximizes existing investments in security infrastructure. These specifications subsume and expand upon the ideas expressed in similar specifications previously proposed by IBM and Microsoft (namely the SOAP-Security, WS-Security and WS-License specifications)... By leveraging the natural extensibility that is at the core of the Web services model, the specifications build upon foundational technologies such as SOAP, WSDL, XML Digital Signatures, XML Encryption and SSL/TLS. This allows Web service providers and requesters to develop solutions that meet the individual security requirements of their applications... document outlines a comprehensive, modular solution that, when implemented, will allow customers to build interoperable and secure Web services that leverage and expand upon existing investments in security infrastructure while allowing them to take full advantage of the integration and interoperability benefits Web service technologies have to offer... We anticipate concerns about what can be done to ensure interoperability and consistent implementation of the various proposed specifications. To address this, IBM and Microsoft will work closely with standards organizations, the developer community, and with industry organizations such as WS-I.org to develop interoperability profiles and tests that will provide guidance to tool vendors..."
October 23, 2001 version: A related announcement was made in October, 2001, as presented in the news item "Microsoft Releases New XML Web Services Specifications for a Global XML Web Services Architecture." Specifications referenced then included: (1) WS-Security; (2) WS-Routing; (3) WS-Referral; (4) WS-License. From the description: "This Global XML Web Services Architecture "provides a set of principles and guidelines for advancing the protocols and file formats of today's XML Web services to more complex and sophisticated tasks. The four specifications build on XML Web services technologies such as XML, SOAP, WSDL, and UDDI specifications, extending them for global-class computing. The new specifications adhere to the road map outlined by Microsoft and IBM Corp. at the W3C Web Services Workshop in April 2001 and represent a first step toward a comprehensive Global XML Web Services Architecture. (1) WS-Security outlines how to use the W3C specifications XML Signature and XML Encryption; (2) WS-License, along with WS-Security, outlines how existing digital credentials and their associated trust semantics can be securely associated with SOAP messages; (3) WS-Routing describes how to place message addresses in the SOAP message header and enables SOAP messages to travel serially to multiple destinations along a message path [formerly SOAP-RP]; (4) WS-Referral enables the routing between SOAP nodes on a message path to be dynamically configured. As with previous XML Web services specifications, these four will be available for a review period and then submitted to appropriate standards bodies."
Principal references:
- Announcement 2002-04-11: "IBM, Microsoft and VeriSign Announce New Security Specification to Advance Web Services. WS-Security Specification is the Cornerstone to Building Secure Web Services. Companies Will Jointly Submit Specification for Standardization." [source, MS]
- "Web Services Security (WS-Security)." PDF format. Version 1.0. April 5, 2002. 29 pages. Previous version was from Microsoft. This version of WS-Security was published as a public specification on 11-April-2002; "this is the first joint IBM/Microsoft publication of the specification." Also from Microsoft and IBM. Authors: Bob Atkinson (Microsoft), Giovanni Della-Libera (Microsoft), Satoshi Hada (IBM), Maryann Hondo (IBM), Phillip Hallam-Baker (VeriSign), Chris Kaler (Editor) (Microsoft), Johannes Klein (Microsoft), Brian LaMacchia (Microsoft), Paul Leach (Microsoft), John Manferdelli (Microsoft), Hiroshi Maruyama (IBM), Anthony Nadalin (IBM), Nataraj Nagaratnam (IBM), Hemma Prafullchandra (VeriSign), John Shewchuk (Microsoft), Dan Simon (Microsoft).
- WS-Security XML Schema. Namespace: xmlns="http://schemas.xmlsoap.org/ws/2002/04/secext" [cache, 2002-04-11]
- "Security in a Web Services World: A Proposed Architecture and Roadmap." Joint White Paper from IBM Corporation and Microsoft Corporation. Version 1.0. April 7, 2002. Also available from IBM and VeriSign.
- Relevant Websites:
- "Microsoft Releases New XML Web Services Specifications for a Global XML Web Services Architecture." Announcement 2001-10-23.
- "Web Services Security Specification (WS-Security)" - Main reference page.