Members of the OASIS Web Services Security Technical Committee are completing new work in the form of WSS profile specifications. The five profiles under development and review will complement the documents published as WSS 1.0 in April 2004.

The OASIS Web Services Security (WSS) specification is an approved OASIS Standard that "builds upon existing security technologies such as XML Digital Signature, XML Encryption and X.509 Certificates to deliver an industry standard way of securing Web services message exchanges. Providing a framework within which authentication and authorization take place, WSS lets user apply existing security technology and infrastructure in a Web services environment. WSS handles complex confidentiality and integrity for SOAP (Simple Object Access Protocol) messages, providing a general-purpose mechanism for associating security tokens with message content. Designed to be extensible, WSS supports multiple security token formats."

The WSS SAML Token Profile approved as an OASIS Committee Draft in July 2004 describes how to use Security Assertion Markup Language (SAML) Version 1.1 assertions with the Web Services Security (WSS): SOAP Message Security specification. It defines how SAML assertions are carried in and referenced from <wsse:security> headers and describes how SAML assertions are used with XML Signature to bind the statements of the assertions (i.e., the claims) to a SOAP message.

The Rights Expression Language (REL) Token Profile is a Committee Draft which describes the use of ISO/IEC 21000-5 Rights Expressions with respect to the SOAP Message Security 1.0 specification.

SOAP Messages with Attachments (SwA) Profile 1.0 is an OASIS TC Working Draft which defines how to use the OASIS Web Services Security: SOAP Message Security standard with SOAP Messages with Attachments (SwA). It "describes how a web service consumer can secure SOAP attachments using SOAP Message Security for attachment integrity, confidentiality and origin authentication, and how a receiver may process such a message."

The Kerberos Token Profile 1.0 Working Draft document "defines how to encode Kerberos tickets and attach them to SOAP messages. It also specifies how to add signatures and encryption to the SOAP message, in accordance with WS-Security, which uses and references the Kerberos tokens."

The WSS TC's Minimalist Profile (MProf) "defines a subset of OASIS WSS: SOAP Message Security features. The subset is "intended to minimize the resource requirements of its implementation and maximize the performance, while keeping the interoperability with the base specification."

Bibliographic Information

• Web Services Security: SAML Token Profile. Approved as an OASIS Committee Draft. Reference: Working Draft 15. Edited by Phillip Hallam-Baker (VeriSign), Chris Kaler (Microsoft), Ronald Monzillo (Sun), and Anthony Nadalin (IBM). July 19, 2004. 36 pages.

• Web Services Security: Rights Expression Language (REL) Token Profile. Approved as an OASIS Committee Draft. Edited by Thomas DeMartini (ContentGuard, Inc), Anthony Nadalin (IBM), Chris Kaler (Microsoft Corporation), Ronald Monzillo (Sun Microsystems), and Phillip Hallam-Baker (Verisign). June 18, 2004. 25 pages.

• Web Services Security: SOAP Messages with Attachments (SwA) Profile 1.0. OASIS TC Working Draft 7. Reference: 'wss-swa-profile-1.0-draft-07'. Edited by Frederick Hirsch (Nokia). July 30, 2004. 18 pages.

• Web Services Security: Kerberos Token Profile 1.0. Working Draft 05. Edited by Anthony Nadalin (IBM), Phil Griffin (Individual), Chris Kaler (Microsoft), Phillip Hallam-Baker (VeriSign), and Ronald Monzillo (Sun). July 27, 2004. 16 pages.

• SOAP Message Security: Minimalist Profile (MProf). Working Draft 1.5. March 07, 2003. Edited by Anthony Nadalin (IBM). 18 pages.