The Web Services Interoperability Organization (WS-I) has announced the availability of a Basic Security Profile Version 1.0 Working Group Draft.

Publication of the Basic Security Profile follows a February 2004 release of WS-I Security Scenarios Working Group Draft which defined the requirements and scope for the WS-I Basic Security Profile.

The WS-I Basic Security Profile Version 1.0 consists of "a set of non-proprietary Web services specifications, along with clarifications and amendments to those specifications which promote interoperability. The Security Profile WD addresses Transport Layer Security, SOAP Message Security, Username Token Profile, X.509 Certificate Token Profile, XML-Signature, XML Encryption, Algorithms, Relationship of Basic Security Extension Profile to Basic Profile, and Attachment Security.

The Profile's Guiding Principles articulated in Section 1.1 clarify that testable statements are made when possible, but that "such testability is not required; preferably, testing is achieved in a non-intrusive manner (e.g., examining artifacts 'on the wire,' but due to the nature of cryptographic security, non-intrusive testing may not be possible." Similarly, the Basic Security Profile provides no guarantee of interoperability: "Although it is impossible to completely guarantee the interoperability of a particular service, the Profile attempts to increase interoperability by addressing the most common problems that implementation experience has revealed to date."

Requirements from a number of specifications are incorporated into the Profile by reference, as enumerated in Appendix I: HTTP over TLS; Web Services Security: SOAP Message Security; Web Services Security: Username Token Profile; Web Services Security: X.509 Token Profile; XML-Signature Syntax and Processing; Web Services Security: SOAP Message Security Section 9; XML Encryption Syntax and Processing.

The WS-I announcement reports that the the WS-I Basic Security Profile Working Group is "planning to incorporate the Web Services Security: Kerberos Token Profile into the Basic Security Profile upon completion of the technical work by the OASIS Web Services Security Technical Committee. In addition, WS-I is considering incorporating other token profiles, such as the Web Services Security: SAML Token Profile and the Web Services Security: XRML Token Profile into the Basic Security Profile."

Bibliographic Information

Basic Security Profile Version 1.0. Working Group Draft. Date: 2004/05/12 10:20:46 Version URL: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0-2004-05-12.html. Latest version URL: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html. Edited by Abbie Barbir (Nortel Networks), Martin Gudgin (Microsoft), and Michael McIntosh (IBM). Administrative contact: secretary@ws-i.org. Copyright (c) 2002-2004 by The Web Services-Interoperability Organization (WS-I) and Certain of its Members.

WS-I Security Scenarios. Edited by Mark Davis (Sarvega), Bret Hartman (DataPower), Chris Kaler (Microsoft), Anthony Nadalin (IBM), and Jerry Schwarz (Oracle). From the WS-I Basic Security Profile Working Group. Document Status: Working Group Draft. Version 0.15. February 14, 2004. 52 pages. Work in progress document, copyright (c) 2004 by The Web Services-Interoperability Organization (WS-I) and Certain of its Members.

From the WS-I Announcement

The Web Services Interoperability Organization (WS-I) today announced the availability of the WS-I Basic Security Profile Working Group Draft. When final, the Basic Security Profile will be a guide for the use of Web services security standards and technologies in the development of interoperable Web services. The WS-I Basic Security Profile Working Group Draft can be reviewed at www.ws-i.org, and feedback may be submitted to wsi_secprofile_comment@lists.ws-i.org.

"The WS-I Basic Security Profile Working Group has made this working draft public in order to solicit feedback from the Web services community, with the goal of ensuring the high quality and broad applicability of the profile," said Paul Cotton, Chair of the WS-I Basic Security Profile Working Group. "The process of incorporating public feedback was critical to the success of the WS-I Basic Profile, and we anticipate the same benefits from this process."

"The successful deployment of standards-based security technologies will be a key determinant in the widespread adoption of Web services," said Ray Wagner, Research Director, Information Security Strategies at Gartner. "Along with the Security Scenarios that were made available for public comment this past February, the Basic Security Profile will be an important resource for Web services developers and security architects concerned with security and interoperability."

The Basic Security Profile is an interoperability profile that addresses transport security, SOAP messaging security and other security considerations for the Basic Profile 1.0, as well as the Basic Profile 1.1, Simple SOAP Binding Profile 1.0 and Attachments Profile 1.0, currently available for public review as Working Group Drafts. The Basic Security Profile is intended to compose with other WS-I profiles and will reference existing specifications used to provide security, including the OASIS Web Services Security 1.0 specification, and provide clarifications and guidance designed to promote interoperability of those specifications.

The Basic Security Profile focuses on the interoperability characteristics of two main technologies: HTTP over TLS and Web Services Security: SOAP Message Security. HTTP over TLS is a point-to-point technology that protects the confidentiality of all information that flows over an HTTP connection. Web Services Security: SOAP Message Security provides security protection for SOAP messages and applies even when a message passes through several intermediary waypoints, allowing differing levels of protection for selected portions of a message. The Basic Security Profile describes a way to apply SOAP Message Security to attachments.

The Basic Security Profile also incorporates Web Services Security: Username Token Profile and Web Services Security: X.509 Certificate Token Profile. The Basic Security Profile Working Group is planning to incorporate the Web Services Security: Kerberos Token Profile into the Basic Security Profile upon completion of the technical work by the OASIS Web Services Security Technical Committee. In addition, WS-I is considering incorporating other token profiles such as the Web Services Security: SAML Token Profile and Web Services Security: XRML Token Profile into the Basic Security Profile.

WS-I is an open industry organization committed to promoting consistent and reliable interoperability among Web services across platforms, applications and programming languages. The organization unites a diverse community of Web services companies by providing guidance, recommended practices and supporting resources for developing interoperable Web services. Since its formation in February 2002, more than 170 companies have joined WS-I. For more information please visit http://www.ws-i.org, or e-mail info@ws-i.org.

From the WS-I BSPWG Announcement 2003-04-01

In April 2003 WS-I announced the formation of its Basic Security Profile Working Group. Excerpt:

The Web Services Interoperability Organization ("WS-I") today announced the formation of the Basic Security Profile Working Group (BSPWG). The BSPWG was chartered following the organization's fourth plenary session held recently in Salt Lake City.

The formation of the BSPWG is the result of several months of research and planning conducted by the Basic Security Work Plan Working Group, a security task force chaired by Eve Maler, XML standards architect at Sun Microsystems. The Basic Security Work Plan Working Group, formed in late November 2002, created a work plan prioritizing and scoping key security interoperability issues. The Basic Security Work Plan Working Group presented its recommendations to the membership at the recent plenary session.

"Web services security is a key challenge facing both vendors and consumers of Web services," said Maler. "Our goal is to focus specifically on the interoperability issues involving security technologies and to deliver a profile as a way to encourage secure Web services."

The newly chartered BSPWG will develop an interoperability profile involving transport security, SOAP messaging security and other security considerations implicated by the WS-I Basic Profile. The Basic Security Profile is intended to be an extension to the WS-I Basic Profile 1.0 and will reference existing specifications used to provide security and provide clarifications and guidance designed to promote interoperability of those specifications. The BSPWG will also develop a set of usage scenarios and their component message exchange patterns (MEPs) to guide their work. A timeline for the deliverables will be determined in the next month.

"Security is a key requirement for the broad adoption and deployment of Web services," said Daniel Sholler, vice president, META Group. "Today's announcement by WS-I represents an important milestone for helping customers build secure, reliable, transacted Web services."