The OASIS Web Services Security Technical Committee has announced a unanimous vote to begin the public review of three Web Services Security specifications and associated XML Schemas. The documents were approved as TC Committee Drafts, moving the WSS TC's work one step closer to making WS-Security an OASIS Standard. The 30-day public review period for the WSS TC specifications starts 19-September-2003 and ends 19-October-2003. The Core Web Services Security: SOAP Message Security document "proposes a standard set of SOAP extensions that can be used when building secure Web services to implement message content integrity and confidentiality. It is flexible and is designed to be used as the basis for securing Web services within a wide variety of security models including PKI, Kerberos, and SSL. Specifically, this specification provides support for multiple security token formats, multiple trust domains, multiple signature formats, and multiple encryption technologies." Two XML Schemas are considered part of the WSS Core.

The Web Services Security: Username Token Profile document "describes how to use the UsernameToken with the Web Services Security (WSS) specification; more specifically, it describes how a web service consumer can supply a UsernameToken as a means of identifying the requestor by 'username', and optionally using a password, to authenticate that identity to the web service producer."

The Web Services Security: X.509 Certificate Token Profile document describes the use of the X.509 authentication framework with the Core WSS specification. An X.509 certificate may be used to validate a public key that may be used to authenticate a WS-Security-enhanced message, or to identify the public key with which a WS-Security-enhanced message has been encrypted."

Bibliographic Information

• Web Services Security: SOAP Message Security Edited by Anthony Nadalin (IBM), Chris Kaler (Microsoft), Phillip Hallam-Baker (VeriSign), and Ronald Monzillo (Sun). Working Draft #17. August 27, 2003. Document identifier: 'WSS: SOAP Message Security -17'. Associated with this 'core' specification are two XML Schemas: secext.xsd [source] and utility.xsd [source]. 53 pages.

• Web Services Security: Username Token Profile. Edited by Anthony Nadalin (IBM), Phil Griffin (Individual), Chris Kaler (Microsoft), Ronald Monzillo (Sun), and Phillip Hallam-Baker (VeriSign). Working Draft #4. August 11, 2003. Document identifier: '{draft}-{WSS: SOAP Message Security }-{UsernameToken Profile }-{4.0}'. 13 pages.

• Web Services Security: X.509 Certificate Token Profile. Edited by Phillip Hallam-Baker (VeriSign), Chris Kaler (Microsoft), Ronald Monzillo (Sun), and Anthony Nadalin (IBM). Working Draft 10. August 19, 2003. Document identifier: 'urn:oasis:names:tc:WSS:1.0:profiles:X509-10'. 15 pages.

Web Services Security: SOAP Message Security

"This specification describes enhancements to SOAP messaging to provide message integrity, and single message authentication. The specified mechanisms can be used to accommodate a wide variety of security models and encryption technologies.

This specification also provides a general-purpose mechanism for associating security tokens with message content. No specific type of security token is required the specification is designed to be extensible (e.g., support multiple security token formats). For example, a client might provide one format for proof of identity and provide another format for proof that they have a particular business certification.

Additionally, this specification describes how to encode binary security tokens, a framework for XML-based tokens, and how to include opaque encrypted keys. It also includes extensibility mechanisms that can be used to further describe the characteristics of the tokens that are included with a message..."

The specification proposes a standard set of SOAP extensions that can be used when building secure Web services to implement message content integrity and confidentiality. This specification refers to this set of extensions as the 'Web Services Security Core Language' or 'WSS-Core'

This specification is flexible and is designed to be used as the basis for securing Web services within a wide variety of security models including PKI, Kerberos, and SSL. Specifically, this specification provides support for multiple security token formats, multiple trust domains, multiple signature formats, and multiple encryption technologies. The token formats and semantics for using these are defined in the associated profile documents.

This specification provides three main mechanisms: ability to send security token as part of a message, message integrity, and message confidentiality. These mechanisms by themselves do not provide a complete security solution for Web services. Instead, this specification is a building block that can be used in conjunction with other Web service extensions and higher-level application-specific protocols to accommodate a wide variety of security models and security technologies.

These mechanisms can be used independently (e.g., to pass a security token) or in a tightly coupled manner (e.g., signing and encrypting a message or part of a message and providing a security token or token path associated with the keys used for signing and encryption)..." [adapted from the Abstract and Introduction]

Web Services Security: Username Token Profile

"This document describes how to use the UsernameToken with the Web Services Security (WSS) specification. More specifically, it describes how a web service consumer can supply a UsernameToken as a means of identifying the requestor by 'username', and optionally using a password (or shared secret, or password equivalent) to authenticate that identity to the web service producer..." [from the non-normative Introduction]

Web Services Security: X.509 Certificate Token Profile

"This specification describes the use of the X.509 authentication framework with the Web Services Security: SOAP Message Security specification.

An X.509 certificate specifies a binding between a public key and a set of attributes that includes (at least) a subject name, issuer name, serial number and validity interval. This binding may be subject to subsequent revocation advertised by mechanisms that include issuance of CRLs, OCSP tokens or mechanisms that are outside the X.509 framework, such as XKMS.

An X.509 certificate may be used to validate a public key that may be used to authenticate a WS-Security-enhanced message or to identify the public key with which a WS-Security-enhanced message has been encrypted..." [from the non-normative Introduction]

About the OASIS Web Services Security TC

A Web Services Security (WS-Security) specification from International Business Machines Corporation, Microsoft Corporation, and VeriSign, Inc. was published in April 2002. In July 2002, OASIS members formed the Web Services Security Technical Committee with broad industry support; BEA Systems, Blockade Systems, Commerce One, divine, Documentum, Fujitsu, Intel, IBM, IONA, Microsoft, Novell, Oblix, OpenNetwork, Perficient, SAP, SeeBeyond, Sonic Software, Sun Microsystems, TIBCO, VeriSign, webMethods, XML Global, and other OASIS members announced that they would collaborate on advancing the WS-Security specification. The Web Services Security TC Co-Chairs are Kelvin Lawrence (IBM) and Chris Kaler (Microsoft).

The OASIS Web Services Security TC was chartered to "continue work on the Web Services security foundations as described in the Web Services Security (WS-Security) specification [April 2002], which was written within the context of the Web Services Security Roadmap as published in April 2002. The work of the WSS TC will form the necessary technical foundation for higher-level security services which are to be defined in other specifications. The TC shall not further develop the security roadmap, nor shall the roadmap constitute a normative part of the output of the TC..."

The TC identified an initial set of deliverables, including (1) The 'core' specification; (2) A SAML profile; (3) An XrML profile; (4) A Kerberos profile; (5) An X.509 profile.

The scope of the Web Services Security Technical Committee as chartered was "the support of security mechanisms in the following areas:

• Using XML signature to provide SOAP message integrity for Web services
• Using XML encryption to provide SOAP message confidentiality for Web services
• Attaching and/or referencing security tokens in headers of SOAP messages
• Carrying security information for potentially multiple, designated actors
• Associating signatures with security tokens"

URLs for TC documents Voted as Committee Draft Level Specifications

• SOAP Message Security: Core [and local text]; Core with changes [and local text]; secext.xsd Schema [and local text]; utility.xsd Schema [and local text]. See also "Proposed Committee Draft and Schema Posted."

• Username Token Profile: Source [alt, local text]; Source with changes [alt, local text]. See also the posting

• X.509 Certificate Token Profile: Source [local text, possible URL]