Update 2007-11-20: In November 2007, W3C announced the publication of Web Services Policy 1.5 - Primer and Web Services Policy 1.5 - Guidelines for Policy Assertion Authors as key deliverables supporting the W3C Recommendations Web Services Policy 1.5 - Framework and Web Services Policy 1.5 - Attachment. WS-Policy defines a general policy framework for expressing Web service capabilities and requirements, including a policy data model, processing model (for combining/comparing Web service capabilities), and XML Information Set representation for the policy data model.
Update 2006-03-23: In March 2006, revised versions of Web Services Policy Framework (WS-Policy) and Web Services Policy Attachment (WS-PolicyAttachment) were released.
[December 18, 2002] Six new Web services specifications "aimed at advancing security capabilities and streamlining business policy for organizations implementing Web services" have been published by Microsoft and IBM, together with authorship contributions from BEA, RSA, and SAP. "These specifications are the second wave of work that is part of a broader road map of proposed Web services security capabilities outlined by IBM and Microsoft in April 2002 to tackle the growing need for consistent support of more secure Web services." The new specifications include WS-SecurityPolicy, WS-Trust, WS-SecureConversation, WS-Policy, WS-PolicyAttachment, and WS-PolicyAssertions.
From the announcement:
Microsoft Corp. and IBM Corp., along with BEA Systems Inc., RSA Security Inc., SAP AG, and VeriSign Inc., today announced the publication of a new set of advanced Web services specifications to help businesses share information securely between applications and organizations in a standard way.
Using broadly accepted standards and specifications around Simple Object Access Protocol (SOAP), security, transactions and discovery, the new specifications represent the next step in delivering a comprehensive model of advanced Web services capabilities that integrate currently available technologies with the evolving requirements of emerging applications.
IBM, Microsoft and industry partners are now delivering against a previously announced road map with six new specifications. Providing a framework that is extensible and flexible and maximizes existing investments in a Web services infrastructure, these new specifications make it easier to apply business policy and implement security for a wider range of applications.
The specifications fall into two key groups. The first helps address key technical concerns in the area of security and build on the work outlined in Microsoft and IBM's co-authored road map, "Security in a Web Services World." The second group focuses on streamlining the implementation of business policies in a Web services environment...
Summary of 2002-12 specifications:
Web Services Trust Language (WS-Trust). Version 1.0. December 18, 2002. By IBM, Microsoft, RSA, VeriSign. "This specification defines extensions that build on WS-Security to request and issue security tokens and to manage trust relationships... By using the XML, SOAP and WSDL extensibility models, the WS* specifications are designed to be composed with each other to provide a rich Web services environment. WS-Trust by itself does not provide a complete security solution for Web services. WS-Trust is a building block that is used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of security models... WS-Security defines the basic mechanisms for providing secure messaging. This specification uses these basic mechanisms and defines additional primitives and extensions for security token exchange to enable the issuance and dissemination of credentials within different trust domains. In order to secure a communication between two parties, the two parties must exchange security credentials (either directly or indirectly). However, each party needs to determine if they can "trust" the asserted credentials of the other party. In this specification we define extensions to WS-Security that provide: (1) methods for issuing and exchanging security tokens, (2) ways to establish and access the presence of trust relationships Using these extensions, applications can engage in secure communication designed to work with the general Web Services framework, including WSDL service descriptions, UDDI businessServices and bindingTemplates, and SOAP messages. To achieve this, this specification introduces a number of headers and elements that are used to request security tokens and manage trust relationships..." IBM source, and PDF.
Web Services Secure Conversation Language (WS-SecureConversation). Version 1.0. December 18, 2002. By IBM, Microsoft, RSA, VeriSign. "This specification defines extensions that build on WS-Security to provide secure communication. Specifically, we define mechanisms for establishing and sharing security contexts, and deriving session keys from security contexts... The mechanisms defined in WS-Security provide the basic mechanisms on top of which secure messaging can be defined. This specification defines extensions to allow security context establishment and sharing, session key derivation. The WS-Security specification focuses on the message authentication model. This approach, while useful in many situations, is subject to several forms of attack. Accordingly, this specification introduces a security context and its usage. The context authentication model authenticates a series of messages thereby addressing these shortcomings, but requires additional communications if authentication happens prior to normal application exchanges. To implement these models (described below) we introduce new headers and SOAP extensions..." IBM source, and PDF.
Web Services Security Policy Language (WS-SecurityPolicy). Version 1.0. December 18, 2002. By IBM, Microsoft, RSA, VeriSign. "This document is an addendum to WS-Security and indicates the policy assertions for WS-Policy which apply to WS-Security... Most Web service specifications indicate their associated policy assertions for use with WS-Policy. However, because WS-Security was published prior to WS-Policy, this addendum identifies these assertions..." IBM source, and PDF.
Web Services Policy Assertions Language (WS-PolicyAssertions). Version 1.0. December 18, 2002. By IBM, Microsoft, BEA, SAP. "This document specifies a set of common message policy assertions that can be specified within a policy. Appendix I (XPath Expressions for Policies) defines a set of normative functions for use with XPath to simplify the path expressions that may be used within assertions to reference message elements..." IBM source, and PDF.
Web Services Policy Attachment (WS-PolicyAttachment). Version 1.0. December 18, 2002. By IBM, Microsoft, BEA, SAP. "This document specifies three specific attachment mechanisms for using policy expressions with existing XML Web service technologies. Specifically, we define how to associate policy expressions with WSDL type definitions and UDDI entities. We also define how to associate implementation-specific policy with all or part of a WSDL portType when exposed from a specific implementation. The WS-Policy specification defines an abstract policy model and an XML policy expression grammar for making policy assertions. This specification defines a general-purpose mechanism for associating policy expressions with subjects. It provides for two approaches to making the associations: the policy assertions may be defined as part of the definition of the subject or the policy assertions may be defined independently and associated through an external binding to the subject. To enable WS-Policy to be used with existing Web service technologies, this specification describes the use of these general-purpose mechanisms with WSDL and UDDI. Specifically, this specification defines the following: (1) How to reference policies from WSDL definitions; (2) How to associate policies with specific instances of WSDL services; (3) How to associate policies with UDDI entities..." IBM source, and PDF.
- Versions from 2006-03:
- Versions from 2004-09 and 2003-06:
- June 04, 2003 update: "Updated Versions of Web Services Policy (WS-Policy) Specifications." News item 2003-06-04.
- References for the six principal specifications in HTML and PDF format are provided above.
- Announcement 2002-12-18: "BEA, IBM, Microsoft, RSA Security, SAP and VeriSign Deliver Advanced Specifications to Help Meet Security and Business Policy Needs of Companies Building and Implementing Web Services. New Group of Specifications to Build on Industry Work for Web Services."
- "Web Services Security: Moving Up the Stack. New Specifications Improve the WS-Security Model." From IBM developerWorks, Web services. December 2002.
- WS-Security Specification Index Page (Microsoft). "WS-Security describes enhancements to SOAP messaging to provide quality of protection through message integrity, message confidentiality, and single message authentication. These mechanisms can be used to accommodate a wide variety of security models and encryption technologies."
- WS-Policy Specification Index Page (Microsoft). "The Web Services Policy Framework (WS-Policy) provides a general-purpose model and corresponding syntax to describe and communicate the policies of a Web service."
- Global XML Web Services Architecture (GXA)
- Microsoft XML Web Services Developer Center Home
- "Microsoft, IBM, and VeriSign Promote WS-Security Specifications for Web Services." News story 2002-04-11.
- "IBM, Microsoft and VeriSign Announce New Security Specification to Advance Web Services. WS-Security Specification is the Cornerstone to Building Secure Web Services. Companies Will Jointly Submit Specification for Standardization." Announcement 2002-04-11.
- "Security in a Web Services World: A Proposed Architecture and Roadmap." A Joint White Paper from IBM Corporation and Microsoft Corporation. April 7, 2002.