Update 2007-11-20: In November 2007, W3C announced the publication of Web Services Policy 1.5 - Primer and Web Services Policy 1.5 - Guidelines for Policy Assertion Authors as key deliverables supporting the W3C Recommendations Web Services Policy 1.5 - Framework and Web Services Policy 1.5 - Attachment. WS-Policy defines a general policy framework for expressing Web service capabilities and requirements, including a policy data model, processing model (for combining/comparing Web service capabilities), and XML Information Set representation for the policy data model.

Update 2006-03-23: In March 2006, revised versions of Web Services Policy Framework (WS-Policy) and Web Services Policy Attachment (WS-PolicyAttachment) were released.

[December 18, 2002] Six new Web services specifications "aimed at advancing security capabilities and streamlining business policy for organizations implementing Web services" have been published by Microsoft and IBM, together with authorship contributions from BEA, RSA, and SAP. "These specifications are the second wave of work that is part of a broader road map of proposed Web services security capabilities outlined by IBM and Microsoft in April 2002 to tackle the growing need for consistent support of more secure Web services." The new specifications include WS-SecurityPolicy, WS-Trust, WS-SecureConversation, WS-Policy, WS-PolicyAttachment, and WS-PolicyAssertions.

From the announcement:

Microsoft Corp. and IBM Corp., along with BEA Systems Inc., RSA Security Inc., SAP AG, and VeriSign Inc., today announced the publication of a new set of advanced Web services specifications to help businesses share information securely between applications and organizations in a standard way.

Using broadly accepted standards and specifications around Simple Object Access Protocol (SOAP), security, transactions and discovery, the new specifications represent the next step in delivering a comprehensive model of advanced Web services capabilities that integrate currently available technologies with the evolving requirements of emerging applications.

IBM, Microsoft and industry partners are now delivering against a previously announced road map with six new specifications. Providing a framework that is extensible and flexible and maximizes existing investments in a Web services infrastructure, these new specifications make it easier to apply business policy and implement security for a wider range of applications.

The specifications fall into two key groups. The first helps address key technical concerns in the area of security and build on the work outlined in Microsoft and IBM's co-authored road map, "Security in a Web Services World." The second group focuses on streamlining the implementation of business policies in a Web services environment...

Summary of 2002-12 specifications:

• Web Services Trust Language (WS-Trust). Version 1.0. December 18, 2002. By IBM, Microsoft, RSA, VeriSign. "This specification defines extensions that build on WS-Security to request and issue security tokens and to manage trust relationships... By using the XML, SOAP and WSDL extensibility models, the WS* specifications are designed to be composed with each other to provide a rich Web services environment. WS-Trust by itself does not provide a complete security solution for Web services. WS-Trust is a building block that is used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of security models... WS-Security defines the basic mechanisms for providing secure messaging. This specification uses these basic mechanisms and defines additional primitives and extensions for security token exchange to enable the issuance and dissemination of credentials within different trust domains. In order to secure a communication between two parties, the two parties must exchange security credentials (either directly or indirectly). However, each party needs to determine if they can "trust" the asserted credentials of the other party. In this specification we define extensions to WS-Security that provide: (1) methods for issuing and exchanging security tokens, (2) ways to establish and access the presence of trust relationships Using these extensions, applications can engage in secure communication designed to work with the general Web Services framework, including WSDL service descriptions, UDDI businessServices and bindingTemplates, and SOAP messages. To achieve this, this specification introduces a number of headers and elements that are used to request security tokens and manage trust relationships..." IBM source, and PDF.

• Web Services Secure Conversation Language (WS-SecureConversation). Version 1.0. December 18, 2002. By IBM, Microsoft, RSA, VeriSign. "This specification defines extensions that build on WS-Security to provide secure communication. Specifically, we define mechanisms for establishing and sharing security contexts, and deriving session keys from security contexts... The mechanisms defined in WS-Security provide the basic mechanisms on top of which secure messaging can be defined. This specification defines extensions to allow security context establishment and sharing, session key derivation. The WS-Security specification focuses on the message authentication model. This approach, while useful in many situations, is subject to several forms of attack. Accordingly, this specification introduces a security context and its usage. The context authentication model authenticates a series of messages thereby addressing these shortcomings, but requires additional communications if authentication happens prior to normal application exchanges. To implement these models (described below) we introduce new headers and SOAP extensions..." IBM source, and PDF.

• Web Services Security Policy Language (WS-SecurityPolicy). Version 1.0. December 18, 2002. By IBM, Microsoft, RSA, VeriSign. "This document is an addendum to WS-Security and indicates the policy assertions for WS-Policy which apply to WS-Security... Most Web service specifications indicate their associated policy assertions for use with WS-Policy. However, because WS-Security was published prior to WS-Policy, this addendum identifies these assertions..." IBM source, and PDF.

• Web Services Policy Framework (WS-Policy). Version 1.0. December 18, 2002. By IBM, Microsoft, BEA, SAP. "WS-Policy provides a flexible and extensible grammar for expressing the capabilities, requirements, and general characteristics of entities in an XML Web services-based system. WS-Policy defines a framework and a model for the expression of these properties as policies. Policy expressions allow for both simple declarative assertions as well as more sophisticated conditional assertions. WS-Policy defines a policy statement to be a collection of one or more policy assertions. Some assertions specify traditional requirements and capabilities that will ultimately manifest on the wire (e.g., authentication scheme, transport protocol selection). Some assertions specify requirements and capabilities that have no wire manifestation yet are critical to proper service selection and usage (e.g., privacy policy, QoS characteristics). WS-Policy provides a single policy grammar to allow both kinds of assertions to be reasoned about in a consistent manner. WS-Policy stops short of specifying how policy expressions are discovered or attached to a Web service. Other specifications are free to define technology-specific mechanisms for associating policy with various entities and resources. Subsequent specifications will provide profiles on WS-Policy usage within other common Web service technologies. The goal of WS-Policy is to provide the mechanisms needed to enable Web services applications to specify policy information. Specifically, this specification defines the following: (1) An XML-based structure called a policy expression which contains domain specific Web Service policy information; (2) A core set of grammar elements to indicate how the contained policy assertions apply..." IBM source, and PDF.

• Web Services Policy Assertions Language (WS-PolicyAssertions). Version 1.0. December 18, 2002. By IBM, Microsoft, BEA, SAP. "This document specifies a set of common message policy assertions that can be specified within a policy. Appendix I (XPath Expressions for Policies) defines a set of normative functions for use with XPath to simplify the path expressions that may be used within assertions to reference message elements..." IBM source, and PDF.

• Web Services Policy Attachment (WS-PolicyAttachment). Version 1.0. December 18, 2002. By IBM, Microsoft, BEA, SAP. "This document specifies three specific attachment mechanisms for using policy expressions with existing XML Web service technologies. Specifically, we define how to associate policy expressions with WSDL type definitions and UDDI entities. We also define how to associate implementation-specific policy with all or part of a WSDL portType when exposed from a specific implementation. The WS-Policy specification defines an abstract policy model and an XML policy expression grammar for making policy assertions. This specification defines a general-purpose mechanism for associating policy expressions with subjects. It provides for two approaches to making the associations: the policy assertions may be defined as part of the definition of the subject or the policy assertions may be defined independently and associated through an external binding to the subject. To enable WS-Policy to be used with existing Web service technologies, this specification describes the use of these general-purpose mechanisms with WSDL and UDDI. Specifically, this specification defines the following: (1) How to reference policies from WSDL definitions; (2) How to associate policies with specific instances of WSDL services; (3) How to associate policies with UDDI entities..." IBM source, and PDF.