Members of the OASIS Web Services Security Technical Committee are completing new work in the form of WSS profile specifications. The five profiles under development and review will complement the documents published as WSS 1.0 in April 2004.
The OASIS Web Services Security (WSS) specification is an approved OASIS Standard that "builds upon existing security technologies such as XML Digital Signature, XML Encryption and X.509 Certificates to deliver an industry standard way of securing Web services message exchanges. Providing a framework within which authentication and authorization take place, WSS lets user apply existing security technology and infrastructure in a Web services environment. WSS handles complex confidentiality and integrity for SOAP (Simple Object Access Protocol) messages, providing a general-purpose mechanism for associating security tokens with message content. Designed to be extensible, WSS supports multiple security token formats."
The WSS SAML Token Profile approved as an OASIS Committee Draft in July 2004 describes how to use Security Assertion Markup Language (SAML) Version 1.1 assertions with the Web Services Security (WSS): SOAP Message Security specification. It defines how SAML assertions are carried in and referenced from <wsse:security> headers and describes how SAML assertions are used with XML Signature to bind the statements of the assertions (i.e., the claims) to a SOAP message.
The Rights Expression Language (REL) Token Profile is a Committee Draft which describes the use of ISO/IEC 21000-5 Rights Expressions with respect to the SOAP Message Security 1.0 specification.
SOAP Messages with Attachments (SwA) Profile 1.0 is an OASIS TC Working Draft which defines how to use the OASIS Web Services Security: SOAP Message Security standard with SOAP Messages with Attachments (SwA). It "describes how a web service consumer can secure SOAP attachments using SOAP Message Security for attachment integrity, confidentiality and origin authentication, and how a receiver may process such a message."
The Kerberos Token Profile 1.0 Working Draft document "defines how to encode Kerberos tickets and attach them to SOAP messages. It also specifies how to add signatures and encryption to the SOAP message, in accordance with WS-Security, which uses and references the Kerberos tokens."
The WSS TC's Minimalist Profile (MProf) "defines a subset of OASIS WSS: SOAP Message Security features. The subset is "intended to minimize the resource requirements of its implementation and maximize the performance, while keeping the interoperability with the base specification."
Web Services Security: SAML Token Profile. Approved as an OASIS Committee Draft. Reference: Working Draft 15. Edited by Phillip Hallam-Baker (VeriSign), Chris Kaler (Microsoft), Ronald Monzillo (Sun), and Anthony Nadalin (IBM). July 19, 2004. 36 pages.
Web Services Security: Rights Expression Language (REL) Token Profile. Approved as an OASIS Committee Draft. Edited by Thomas DeMartini (ContentGuard, Inc), Anthony Nadalin (IBM), Chris Kaler (Microsoft Corporation), Ronald Monzillo (Sun Microsystems), and Phillip Hallam-Baker (Verisign). June 18, 2004. 25 pages.
Web Services Security: SOAP Messages with Attachments (SwA) Profile 1.0. OASIS TC Working Draft 7. Reference: 'wss-swa-profile-1.0-draft-07'. Edited by Frederick Hirsch (Nokia). July 30, 2004. 18 pages.
Web Services Security: Kerberos Token Profile 1.0. Working Draft 05. Edited by Anthony Nadalin (IBM), Phil Griffin (Individual), Chris Kaler (Microsoft), Phillip Hallam-Baker (VeriSign), and Ronald Monzillo (Sun). July 27, 2004. 16 pages.
- References are provided above for the five WSS profiles.
- OASIS Web Services Security TC web site
- Archive for WSS TC discussion list
- Archive for WSS TC comments
- OASIS Web Services Security Issues List. Version 46. Modified August 09, 2004. Maintained by Vijay Gajjala.
- Earlier news:
- "OASIS Web Services Security Specification Approved as an OASIS Standard." News story 2004-04-08. See also the OASIS announcement.
- "OASIS Web Services Security TC (WSS) Approves Committee Draft Specifications." News story 2004-01-26.
- "OASIS WSS TC Approves Three Web Services Security Specifications for Public Review." News story 2003-09-09.
- "Java Web Services Developer Pack V1.2 Supports WS-I, WS-Security, and UBL Applications." News story 2003-06-05.
- "Web Services Security TC Receives WS-Security Profile for XML-based Tokens." News story 2002-08-30.
- "IBM Web Services Toolkit Supports the WS-Security Specification." News story 2002-04-12.
- "Microsoft, IBM, and VeriSign Promote WS-Security Specifications for Web Services." News story 2002-04-11.
- "Microsoft Releases New XML Web Services Specifications for a Global XML Web Services Architecture." News story 2001-10-23 (WS-Security).
- "Security Assertion Markup Language (SAML)" - Main reference page.
- "XML and Security Standards" - Main reference page.
- "Web Services Security Specification (WS-Security)" - General references.