The Web Services Interoperability Organization has issued a public announcement for a Basic Security Profile Working Group (BSPWG). "The BSPWG was chartered following the organization's fourth plenary session held recently in Salt Lake City. The formation of the BSPWG is the result of several months of research and planning conducted by the Basic Security Work Plan Working Group, a security task force chaired by Eve Maler, XML standards architect at Sun Microsystems. The newly chartered BSPWG will develop an interoperability profile involving transport security, SOAP messaging security and other security considerations implicated by the WS-I Basic Profile. The Basic Security Profile is intended to be an extension to the WS-I Basic Profile 1.0 and will reference existing specifications used to provide security and provide clarifications and guidance designed to promote interoperability of those specifications. The BSPWG will also develop a set of usage scenarios and their component message exchange patterns (MEPs) to guide their work. A timeline for the deliverables will be determined in the next month."
BSPWG Work Plan
[From the WS-I "Working Group Charter. Web Services Basic Security Work Plan."]
"The Web Services Basic Security Work Plan Working Group will develop a framework and a short-term work plan for the WS-I Board, prioritizing and scoping security interoperability issues, leveraging usage scenarios and use cases, and creating draft charters for workgroups as required."
"This Working Group will focus on the development of administrative and non-Material documents, which are needed to initiate and structure the short-term security work within WS-I. The working group will consider security issues regarding interoperability of Web services. The Working group will start with the existing usage scenarios, use cases and sample applications. It will consider the security threats and risks in various Web services contexts such as Intranet, Extranet, and Public Internet etc."
"[The working group] will consider interoperability requirements in the following areas: (1) identification and authentication, (2) message integrity and message authentication, (3) message confidentiality, and (4) non-repudiation."
"The relevant existing standards in that space, such as HTTP Authentication, W3C XML DSIG, W3C XML Encryption, XKMS, OASIS SAML 1.0, XrML, HTTPS, S/MIME, PKIX (X.509 certificates), Kerberos, PKCS, DSS, SHA-1, CMS, XML Canonicalization, XSLT, XML Infosets, etc. need to be identified."
"Synergies with ongoing and existing security standards work at organizations such as OASIS, W3C, IETF need to be considered for the proposed work plan. Duplication of efforts needs to be avoided."
From the Announcement
The Basic Security Work Plan Working Group, formed in late November 2002, created a work plan prioritizing and scoping key security interoperability issues. The Basic Security Work Plan Working Group presented its recommendations to the membership at the recent plenary session.
"Web services security is a key challenge facing both vendors and consumers of Web services," said Maler. "Our goal is to focus specifically on the interoperability issues involving security technologies and to deliver a profile as a way to encourage secure Web services."
"Security is a key requirement for the broad adoption and deployment of Web services," said Daniel Sholler, vice president, META Group. "Today's announcement by WS-I represents an important milestone for helping customers build secure, reliable, transacted Web services."
WS-I is an open industry organization committed to promoting consistent and reliable interoperability among Web services across platforms, applications and programming languages. The organization unites a diverse community of Web services companies by providing guidance, recommended practices and supporting resources for developing interoperable Web services. Since its formation in February 2002, more than 170 companies have joined WS-I.
Principal references:
- Announcement 2003-04-01: "WS-I Charters Basic Security Profile Working Group. Industry Organization Tackles Interoperability Issues with Web Services Security."
- "WS-I Second Round Spec Homes In On Security." By Gavin Clarke [ComputerWire]. In The Register (January 21, 2003).
- "Group Addresses Web Services Security." By Darryl K. Taft. In eWEEK (April 01, 2003).
- "Working Group Charter. Web Services Basic Security Work Plan." By Franz Fritz and Ajamu Wesley. WS-I Administrative Document. Version 1.01. November 20, 2002. [cache]
- WS-I website
- "Web Services Interoperability Organization (WS-I)" - Main reference page.