OASIS has announced the formation of new Technical Committee for Web Services Security (WSS). The TC is designed to continue work on the Web services security foundations published in the WS-Security specification from IBM, Microsoft, and Verisign. Development will also follow the vision of the Web Services Security Roadmap published in April, 2002. The WS-Security specification "defines a standard set of Simple Object Access Protocol (SOAP) extensions, or message headers, that can be used to implement integrity and confidentiality in Web services applications." The new Web Services Security specification will support security mechanisms of several types, each using implementation and language-neutral XML formats defined by XML Schema: use of XML signature to provide SOAP message integrity for Web services; use of XML encryption to provide SOAP message confidentiality for Web services; attaching and/or referencing security tokens in headers of SOAP messages; carrying security information for potentially multiple, designated actors; associating signatures with security tokens; representing specific forms of binary security tokens as defined in WS-Security specification. Participation in the OASIS Web Services Security Technical Committee is open to all organizations and individuals.
Relationship to Existing Activities. "Many efforts related to Web services security and related technologies are underway throughout the industry. The following work may be relevant to this Web Services Security TC:
- OASIS Access Control TC (XACML)
- OASIS XML Common Biometric Format TC (XCBF)
- OASIS Provisioning TC (PSTC)
- OASIS Rights Language TC (XrML)
- OASIS Security Services TC (SAML)
- W3C XML Signature
- W3C XML Encryption
- W3C XML Key Management
From the announcment:
"WS-Security is one of the first Web services standards to support, integrate and unify multiple security models, mechanisms and technologies, allowing a variety of systems to interoperate in a platform- and language-neutral manner," said Chris Kaler of Microsoft. Kaler and Kelvin Lawrence of IBM serve as co-chairs of the OASIS Web Services Security Technical Committee.
"Significant work is happening at OASIS in the areas of security and Web services. We are excited by the overwhelming response from OASIS members ready to collaborate on WS-Security," added Lawrence.
BEA Systems, Blockade Systems, Commerce One, divine, Documentum, Fujitsu, Intel, IBM, IONA, Microsoft, Novell, Oblix, OpenNetwork, Perficient, SAP, SeeBeyond, Sonic Software, Sun Microsystems, TIBCO, VeriSign, webMethods, XML Global, and other OASIS members will collaborate on advancing the WS-Security specification. The first meeting of the technical committee will be held on 4-5 September 2002 and hosted by Sun Microsystems.
WS-Security joins several security standards currently being developed within OASIS. Other specifications include SAML for authentication and authorization, XACML for access control, XrML for rights management, SPML for exchanging provisioning information, and XCBF for describing biometrics data.
"WS-Security is complementary to our work on SAML," said Joe Pato of HP, co-chair of the OASIS Security Services Technical Committee. "In fact, our team intends to employ WS-Security to specify the use of SAML for adding security features to SOAP messages."
Principal references:
- Announcement 2002-07-23: "OASIS Members Form Web Services Security Technical Committee. WS-Security Specification To Be Advanced by BEA Systems, Blockade Systems, Commerce One, divine, Documentum, Fujitsu, Intel, IBM, IONA, Microsoft, Novell, Oblix, OpenNetwork, Perficient, SAP, SeeBeyond, Sonic Software, Sun Microsystems, TIBCO, VeriSign, webMethods, XML Global, and Other OASIS Members."
- Web Services Security TC Proposal
- WSS TC web page
- IPR statement
- Contact: TC Chairs Kelvin Lawrence (IBM) and Chris Kaler (Microsoft).
- "OASIS Forms WS-Security Committee." By Brian Fonseca. InfoWorld.
- "Web Services Security Specification (WS-Security)" - Main reference section.
- Related work:
- "Simple Object Access Protocol (SOAP)
- XML Digital Signature (IETF/W3C)
- XML Key Management Specification (XKMS)
- XML and Encryption
- Extensible Access Control Markup Language (XACML)
- XML Common Biometric Format (XCBF)
- Security Assertion Markup Language (SAML)
- XML-Based Provisioning Services
- Liberty Alliance Specifications for Federated Network Identification and Authorization
- Extensible Rights Markup Language (XrML)
- P3P Specification: Platform for Privacy Preferences
- Intrusion Detection Message Exchange Format
- Digital Signatures for Internet Open Trading Protocol (IOTP)
- XML Encoding of SPKI Certificates
- Digital Receipt Infrastructure Initiative