On May 24, 2004 Microsoft announced the final release of Web Services Enhancements 2.0 and revised specifications for Web Services Trust Language (WS-Trust) and Web Services Secure Conversation Language (WS-SecureConversation).

According to Microsoft's summary Fact Sheet, WSE 2.0 is a "supported add-on to Microsoft Visual Studio .NET and the Microsoft .NET Framework that enables developers to build security-enhanced Web services based on the latest Web services protocol specifications and standards. Today more than 250,000 developers use WSE to create security-enhanced connected systems that help improve business processes within and beyond corporate trust boundaries and create new revenue-generating opportunities." These "latest Web services specifications and standards" include WS-Security 2004, WS-Policy, WS-SecurityPolicy, WS-Trust, WS-SecureConversation, and WS-Addressing; WS-Security 2004 became an OASIS Standard in April 2004, while the other five protocol specifications are proprietary.

The revised Version 1.1 drafts of WS-Trust and WS-SecureConversation update the previous Version 1.0 specifications published by IBM, Microsoft, RSA, and VeriSign on December 18, 2002. These two documents are featured prominently in Microsoft's WSE 2.0 announcements. "What's New" says that WSE's support of the WS-Trust and WS-SecureConversation specifications "provides the capability to programmatically request a security token using a SOAP message, and that token can be used for a series of SOAP messages between a SOAP message sender and a target Web service. WSE allows you to build a security token service or configure one that issues security context tokens. When configured to issue security context tokens, a SOAP message sender can use the token to sign and/or encrypt a series of SOAP messages, known as a conversation, between a SOAP message sender and the target Web service."

According to Martin Gudgin's new article "Using WS-Trust and WS-SecureConversation," the Web Services Enhancements (WSE) Toolkit Version 2.0 "provides implementations of both specifications to enable Web Service producers and consumers to secure their applications"; it implements the latest version of WS-Trust, providing a SecurityTokenService class as the base class for processing issuance, renewal, and validation requests for security tokens; it also implements the latest version of the WS-SecureConversation specification, providing a SecurityContextTokenService class for issuing Security Context Tokens.

WSE 2.0 is said to work "in concert with another new addition to Microsoft's Web services offering, Microsoft Office Information Bridge Framework 1.0. Information Bridge Framework is an integrated set of tools that uses eXtensible Markup Language (XML) and Web services to enable information workers to view and act on enterprise business data from within familiar Microsoft Office System programs."

WS-Trust and WS-SecureConversation: Bibliographic Information

• Web Services Trust Language (WS-Trust). Version 1.1. May 2004. 64 pages. Edited by Chris Kaler (Microsoft) and Anthony Nadalin (IBM). Copyright (c) 2001-2004 BEA Systems, Inc., Computer Associates International, Inc., International Business Machines Corporation, Layer 7 Technologies, Microsoft Corporation, Netegrity, Inc., Oblix Inc., OpenNetwork Technologies Inc., Ping Identity Corporation, Reactivity Inc., RSA Security Inc., VeriSign Inc., and Westbridge Technology, Inc. Other authors: Steve Anderson (OpenNetwork), Jeff Bohren (OpenNetwork), Toufic Boubez (Layer 7), Marc Chanliau (Netegrity), Giovanni Della-Libera (Microsoft), Brendan Dixon (Microsoft), Praerit Garg (Microsoft), Eric Gravengaard (Reactivity), Martin Gudgin (Microsoft), Phillip Hallam-Baker (VeriSign), Maryann Hondo (IBM), Hal Lockhart (BEA), Robin Martherus (Oblix), Hiroshi Maruyama (IBM), Prateek Mishra (Netegrity), Nataraj Nagaratnam (IBM), Andrew Nash (RSA Security), Rob Philpott (RSA Security), Darren Platt (Ping Identity), Hemma Prafullchandra (VeriSign), Maneesh Sahu (Westbridge), John Shewchuk (Microsoft), Dan Simon (Microsoft), Davanum Srinivas (Computer Associates), Elliot Waingold (Microsoft), David Waite (Ping Identity), and Riaz Zolfonoon (RSA Security).

  "The goal of WS-Trust is to enable applications to construct trusted SOAP message exchanges. This trust is represented through the exchange and brokering of security tokens. This specification provides a protocol agnostic way to issue, renew, and validate these security tokens... WS-Security defines the basic mechanisms for providing secure messaging. This specification uses these base mechanisms and defines additional primitives and extensions for security token exchange to enable the issuance and dissemination of credentials within different trust domains. In order to secure a communication between two parties, the two parties must exchange security credentials (either directly or indirectly). However, each party needs to determine if they can "trust" the asserted credentials of the other party. In this specification we define extensions to WS-Security that provide: (1) Methods for issuing, renewing, and validating security tokens; (2) Ways to establish, assess the presence of, and broker trust relationships. Using these extensions, applications can engage in secure communication designed to work with the general Web services framework, including WSDL service descriptions, UDDI businessServices and bindingTemplates, and SOAP messages. To achieve this, this specification introduces a number of elements that are used to request security tokens and broker trust relationships..." [from the non-normative Section 1]

• Web Services Trust Language (WS-Trust). Previous WS-Trust version: Version 1.0. December 18, 2002. 30 pages. [source, Verisign]

• Web Services Secure Conversation Language (WS-SecureConversation). Version 1.1. May 2004. 25 pages. Edited by Chris Kaler (Microsoft) and Anthony Nadalin (IBM). Copyright (c) 2001-2004 BEA Systems, Inc., Computer Associates International, Inc., International Business Machines Corporation, Layer 7 Technologies, Microsoft Corporation, Netegrity, Inc., Oblix Inc., OpenNetwork Technologies Inc., Ping Identity Corporation, Reactivity Inc., RSA Security Inc., VeriSign Inc., and Westbridge Technology, Inc. Other authors: Steve Anderson (OpenNetwork Jeff Bohren (OpenNetwork), Toufic Boubez (Layer 7), Marc Chanliau (Netegrity), Giovanni Della-Libera (Microsoft), Brendan Dixon (Microsoft), Praerit Garg (Microsoft), Eric Gravengaard (Reactivity), Martin Gudgin (Microsoft), Satoshi Hada (IBM), Phillip Hallam-Baker (VeriSign), Maryann Hondo (IBM), Hal Lockhart (BEA), Robin Martherus (Oblix), Hiroshi Maruyama (IBM), Prateek Mishra (Netegrity), Nataraj Nagaratnam (IBM), Andrew Nash (RSA Security), Rob Philpott (RSA Security), Darren Platt (Ping Identity), Hemma Prafullchandra (VeriSign), Maneesh Sahu (Westbridge), John Shewchuk (Microsoft), Dan Simon (Microsoft), Davanum Srinivas (Computer Associates), Elliot Waingold (Microsoft), David Waite (Ping Identity), and Riaz Zolfonoon (RSA Security).

  "This specification defines extensions that build on WS-Security and WS-Trust to provide secure communication across one or more messages. Specifically, this specification defines mechanisms for establishing and sharing security contexts, and deriving keys from established security contexts (or any shared secret)... The primary goals of the specification are to define how security contexts are established, describe how security contexts are amended, and specify how derived keys are computed and passed... The mechanisms defined in WS-Security provide the basic mechanisms on top of which secure messaging semantics can be defined for multiple message exchanges. This specification defines extensions to allow security context establishment and sharing, and session key derivation. This allows contexts to be established and potentially more efficient keys or new key material to be exchanged, thereby increasing the overall performance and security of the subsequent exchanges. The WS-Security specification focuses on the message authentication model. This approach, while useful in many situations, is subject to several forms of attack; see the 'Security Considerations' section of the WS-Security specification. Accordingly, this [WS-SecureConversation] specification introduces a security context and its usage. The context authentication model authenticates a series of messages thereby addressing these shortcomings, but requires additional communications if authentication happens prior to normal application exchanges. The security context is defined as a new WS-Security token type that is obtained using a binding of WS-Trust..." [from the non-normative Section 1]

• Web Services Secure Conversation Language (WS-SecureConversation). Previous version: Version 1.0. December 18, 2002. 15 pages. [source, Verisign]

Web Services Enhancements (WSE) 2.0 Key Features

"WSE 2.0 works in concert with Visual Studio .NET and the .NET Framework to provide the foundation for building security-enhanced Web services. It helps developers meet their business requirements by stripping away the complexity of writing advanced Web services and enabling administrators to apply Web services security policies in a way that is broadly interoperable across heterogeneous systems. WSE 2.0 provides support for key Web services capabilities, such as the ability to do the following:

• More easily secure Web services. Now an OASIS standard, WS-Security provides end-to-end security improvements for Web services. It defines how to sign parts of the Simple Object Access Protocol (SOAP) message, help protect the confidentiality and integrity of a SOAP message, and enable the secured messages to traverse multiple intermediaries and underlying transports.
• Express communication and security requirements. Support for WS-Policy and WS-SecurityPolicy enables developers to express communication requirements for a Web service, including security expectations (integrity, confidentiality, required tokens), reliable messaging assurances and protocol versioning.
• Issue and obtain security tokens. WS-Trust support enables developers to issue and obtain security tokens that can be used in brokering trust between security domains.
• Improve efficiency of secure Web services conversations. WS-SecureConversation, based on 2004 revised specifications, increases efficiency of long-running secure Web services conversations by enabling the establishment and sharing of security contexts.
• Address Web services and messages. With support for WS-Addressing, WSE enables developers to identify Web services endpoints and support message transmission through networks that include processing nodes in a transport-neutral manner. [excerpted from the Web Services Enhancements 2.0 for Microsoft .NET Fact Sheet]

About WSE 2.0 for Microsoft .NET

Web Services Enhancements (WSE) 2.0 for Microsoft .NET is a supported add-on to Microsoft Visual Studio .NET and the Microsoft .NET Framework that enables developers to build secure Web services based on the latest Web services protocol specifications.

WSE 2.0 simplifies the development and deployment of secure Web services by enabling developers and administrators to more easily apply security policies on Web services running on the .NET Framework. Using WSE, Web services communication can be signed and encrypted using Kerberos tickets, X.509 certificates, username/password credentials, and other custom binary and XML-based security tokens. In addition, an enhanced security model provides a policy-driven foundation for securing Web services across trust domains. WSE also supports the ability to establish a trust-issuing service for retrieval and validation of security tokens, as well as the ability to establish more efficient long-running secure communication via secure conversations.

New support for message-oriented programming enables asynchronous communication for Web services that involve long-lived operations, batch processing, peer to peer programs, or event driven application models. Web services that leverage WSE can now be hosted in multiple environments including ASP.NET, standalone executables, NT Services and can communicate over alternative transports including HTTP or TCP.

WSE provides a foundation for building applications based on Web services specifications published by Microsoft and industry partners including WS-Security (OASIS 2004 standard), WS-Policy, WS-SecurityPolicy, WS-Trust, WS-SecureConversation, and WS-Addressing...

WSE 2.0 may be redistributed as part of your solution, provided that redistribution is done using the WSE 2.0 redistribution MSI, Microsoft WSE 2.0 Runtime.msi. This MSI is available as a separate download and is also included in the complete WSE 2.0 download.

WSE 2.0 is built for developers using Visual Studio .NET 2003 and the .NET Framework 1.1. The WSE support life-cycle policy is in line with the .NET Framework support life-cycle policy..."

WSE 2.0 for Microsoft .NET supported operating systems include Windows 2000, Windows 2000 Advanced Server, Windows 2000 Server, Windows 2000 Service Pack 4, Windows Server 2003, Windows XP, Windows XP Professional Edition , Windows XP Service Pack 1. Also requires Microsoft Visual Studio .NET 2003 or Microsoft .NET Framework SDK version 1.1. [excerpted from the download page]

About the Microsoft Office Information Bridge Framework

The Microsoft Office Information Bridge Framework version 1.0 is a set of integrated tools, technologies and architectural guidance that uses XML and Web services to extend the Microsoft Office System, enabling information workers to view and act on enterprise business data from Microsoft Office Professional Enterprise Edition 2003. Using the Information Bridge Framework, developers can build solutions that connect the Microsoft Office System to enterprise systems via Web services...

Information workers can access enterprise data and processes from Microsoft Office Word 2003, Microsoft Office Excel 2003 and Microsoft Office Outlook 2003. Further integration with Microsoft Office System applications will be available in upcoming versions of the Information Bridge Framework. [The] Information Bridge Framework will available July 2004.

Information Bridge Framework technology complements the existing smart document technology [found in Office 2003]. Smart documents are those that have attached XML schema and DLL assemblies. The Information Bridge Framework empowers developers to create documents with attached schemas and plays a role in smart document assembly. In addition, the Information Bridge Framework empowers Microsoft Office users to discover information from multiple enterprise systems based on context, and navigate through the related information and act upon it by directly accessing the enterprise system...

The Information Bridge Framework can consume and interact directly with BizTalk Server orchestrations exposed as Web services. BizTalk Server's integration and process automation capabilities can then be accessed in Office documents via the Information Bridge Framework. Finally, adapters written to the BizTalk Server adapter framework can be modified to provide additional Information Bridge Framework-compliant functionality, exposing human-understandable and frequently used entities and actions in XML metadata and providing a get/put/act paradigm..." [adapted from the IBF FAQ document]