The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
SEARCH | ABOUT | INDEX | NEWS | CORE STANDARDS | TECHNOLOGY REPORTS | EVENTS | LIBRARY
SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

NEWS
Cover Stories
Articles & Papers
Press Releases

CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG

TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps

EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
Created: July 14, 2005.
News: Cover StoriesPrevious News ItemNext News Item

Microsoft and IBM Announce Submission of Security Specifications to OASIS.

Contents

Update 2005-10-17: OASIS announced the charter of a new Web Services Secure Exchange (WS-SX) Technical Committee to continue work on the WS-SecureConversation, WS-SecurityPolicy, and WS-Trust specifications. The purpose of the WS-SX Technical Committee (TC) is to define extensions to OASIS Web Services Security (WSS/WS-Security) to enable trusted SOAP message exchanges involving multiple message exchanges and to define security policies that govern the formats and tokens of such messages. The OASIS Web Services Security specification describes a base mechanism for securing SOAP messages but does not deal with trust brokering, multi-message exchanges, and policies describing how to secure message exchanges with a Web service. The scope of the TC's work is to continue further refinement and finalization of the [three] Input Documents to produce as output modular specifications that standardize the concepts, WSDL documents, and XML Schema renderings. See the announcement: "OASIS Members Form Committee to Advance Standards for Web Services Secure Exchange (WS-SX). Actional, Adobe, Amberpoint, BMC Software, BEA Systems, Computer Associates, DataPower, Forum Systems, HP, IBM, Infravio, IONA, Microsoft, Nokia, Novell, Oracle, Reactivity, Ricoh, Sarvega, SAP, SOA Software, Sonic Software, Systinet, TIBCO, VeriSign, webMethods, and Others Refine WS-Conversation, WS-SecurityPolicy, and WS-Trust."

[July 14, 2005] An updated version of the Web Services Security Policy Language (WS-SecurityPolicy) specification has been released by IBM, Microsoft, RSA Security, and VeriSign. IBM and Microsoft have also announced that this WS-SecurityPolicy specification, together with Web Services Trust Language (WS-Trust) and Web Services Secure Conversation Language (WS-SecureConversation), will be submitted to OASIS for standardization in September 2005.

The WS-SecurityPolicy specification defines a set of security policy assertions which apply to Web Services Security: SOAP Message Security, WS-Trust, and WS-SecureConversation.

The July 2005 WS-SecurityPolicy Version 1.1 specification updates Version 1.0 released on December 18, 2002. It is characterized as a "public consultation draft release" appropriate for community evaluation and review; feedback on the specification is handled through the WS-* Workshop process under terms of a feedback license agreement.

According to the specification Introduction, WS-Policy "defines a framework for allowing web services to express their constraints and requirements. Such constraints and requirements are expressed as policy assertions. WS-SecurityPolicy defines a set of security policy assertions for use with the WS-Policy. It defines a base set of assertions that describe how messages are to be secured. Flexibility with respect to token types, cryptographic algorithms and mechanisms used, including using transport level security is part of the design and allows for evolution over time. The intent is to provide enough information for compatibility and interoperability to be determined by web service participants along with all information necessary to actually enable a participant to engage in a secure exchange of messages."

The WS-SecurityPolicy "is designed to work with the general Web Services framework, including WSDL service descriptions, UDDI businessServices and bindingTemplates and SOAP message structure and message processing model; WS-SecurityPolicy should be applicable to any version of SOAP. The current SOAP 1.2 namespace URI is used herein to provide detailed examples, but there is no intention to limit the applicability of this specification to a single version of SOAP."

WS-SecurityPolicy belongs to the family of modular "Composable Architecture" WS-* specifications. "By using the XML, SOAP and WSDL extensibility models, the WS-* specifications are designed to be composed with each other to provide a rich Web services environment. WS-SecurityPolicy by itself does not provide a complete security solution for Web services. WS-SecurityPolicy is a building block that is used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of security models."

A second key specification to be submitted to OASIS is the Web Services Trust Language (WS-Trust). It "uses the secure messaging mechanisms of WS-Security to define additional primitives and extensions for the issuance, exchange and validation of security tokens. WS-Trust also enables the issuance and dissemination of credentials within different trust domains. In order to secure a communication between two parties, the two parties must exchange security credentials (either directly or indirectly). However, each party needs to determine if they can 'trust' the asserted credentials of the other party. WS-Trust defines extensions to WS-Security for issuing and exchanging security tokens and ways to establish and access the presence of trust relationships. Using these extensions, applications can engage in secure communication designed to work with the general Web Services framework, including WSDL service descriptions, UDDI businessServices and bindingTemplates, and SOAP messages."

The Web Services Secure Conversation Language (WS-SecureConversation) specification is "built on top of the WS-Security and WS-Policy models to provide secure communication between services. WS-Security focuses on the message authentication model but not a security context, and thus is subject several forms of security attacks. WS-SecureConversation therefore defines mechanisms for establishing and sharing security contexts, and deriving keys from security contexts, to enable a secure conversation."

The commitment to seek final standardization of the three WS-* security specifications is describes as "a key action on completing the Web Services Security framework and Web Services Security roadmap that IBM and Microsoft created in 2002 to help the industry produce and implement a standards-based architecture that is comprehensive, yet flexible enough to meet the Web services security needs of businesses."

Bibliographic Information

  • Web Services Security Policy Language (WS-SecurityPolicy). Version 1.1. July 2005. 90 pages. Edited by Chris Kaler (Microsoft) and Anthony Nadalin (IBM). Copyright (c) 2001-2005 International Business Machines Corporation, Microsoft Corporation, RSA Security Inc., and VeriSign Inc. XML Namespace URI (RDDL): http://schemas.xmlsoap.org/ws/2005/07/securitypolicy. With XML Schema.

    Authors: Giovanni Della-Libera (Microsoft), Martin Gudgin (Microsoft), Phillip Hallam-Baker (VeriSign), Maryann Hondo (IBM), Hans Granqvist (Verisign), Chris Kaler (Microsoft - Editor), Hiroshi Maruyama (IBM), Michael McIntosh (IBM), Anthony Nadalin (IBM - Editor), Nataraj Nagaratnam (IBM), Rob Philpott (RSA Security), Hemma Prafullchandra (VeriSign), John Shewchuk (Microsoft), Doug Walter (Microsoft), and Riaz Zolfonoon (RSA Security).

  • Web Services Trust Language (WS-Trust). February 2005. 68 pages. Edited by Martin Gudgin (Microsoft) and Anthony Nadalin (IBM). XML Namespace URI, a RDDL namespace document at http://schemas.xmlsoap.org/ws/2005/02/trust. See the XML Schema and WSDL. Copyright (c) 2001-2005 Actional Corporation, BEA Systems, Inc., Computer Associates International, Inc., International Business Machines Corporation, Layer 7 Technologies, Microsoft Corporation, Oblix Inc., OpenNetwork Technologies Inc., Ping Identity Corporation, Reactivity Inc., RSA Security Inc., and VeriSign Inc.

    Authors: Steve Anderson (OpenNetwork), Jeff Bohren (OpenNetwork), Toufic Boubez (Layer 7), Marc Chanliau (Computer Associates), Giovanni Della-Libera (Microsoft), Brendan Dixon (Microsoft), Praerit Garg (Microsoft), Martin Gudgin (Editor, Microsoft), Phillip Hallam-Baker (VeriSign), Maryann Hondo (IBM), Chris Kaler (Microsoft), Hal Lockhart (BEA), Robin Martherus (Oblix), Hiroshi Maruyama (IBM), Anthony Nadalin (Editor, IBM), Nataraj Nagaratnam (IBM), Andrew Nash (Reactivity), Rob Philpott (RSA Security), Darren Platt (Ping Identity), Hemma Prafullchandra (VeriSign), Maneesh Sahu (Actional), John Shewchuk (Microsoft), Dan Simon (Microsoft), Davanum Srinivas (Computer Associates), Elliot Waingold (Microsoft), David Waite (Ping Identity), Doug Walter (Microsoft), and Riaz Zolfonoon (RSA Security).

  • Web Services Secure Conversation Language (WS-SecureConversation). February 2005. 31 pages. Edited by Martin Gudgin (Microsoft) and Anthony Nadalin (IBM). Copyright (c) 2001-2005 Actional Corporation, BEA Systems, Inc., Computer Associates International, Inc., International Business Machines Corporation, Layer 7 Technologies, Microsoft Corporation, Oblix Inc., OpenNetwork Technologies Inc., Ping Identity Corporation, Reactivity Inc., RSA Security Inc., and VeriSign Inc. With XML Schema. See the RDDL namespace document at http://schemas.xmlsoap.org/ws/2005/02/sc.

    Authors: Steve Anderson (OpenNetwork), Jeff Bohren (OpenNetwork), Toufic Boubez (Layer 7), Marc Chanliau (Computer Associates), Giovanni Della-Libera (Microsoft), Brendan Dixon (Microsoft), Praerit Garg (Microsoft), Martin Gudgin (Editor, Microsoft), Satoshi Hada (IBM), Phillip Hallam-Baker (VeriSign), Maryann Hondo (IBM), Chris Kaler (Microsoft), Hal Lockhart (BEA), Robin Martherus (Oblix), Hiroshi Maruyama (IBM), Anthony Nadalin (Editor, IBM), Nataraj Nagaratnam (IBM), Andrew Nash (Reactivity), Rob Philpott (RSA Security), Darren Platt (Ping Identity), Hemma Prafullchandra (VeriSign), Maneesh Sahu (Actional), John Shewchuk (Microsoft), Dan Simon (Microsoft), Davanum Srinivas (Computer Associates), Elliot Waingold (Microsoft), David Waite (Ping Identity), Doug Walter (Microsoft), and Riaz Zolfonoon (RSA Security).

Commentary in Blogs

  • "New WS-SecurityPolicy published." From Martin Gudgin (Specification Editor, Microsoft). Musings from Gudge. July 13, 2005. "Much of the last year of my life has been spent working on the WS-SecurityPolicy spec, which was republished today. This version is significantly different from the previous one. Here are the highlights: (1) Formalized notion of a security binding; (2) Specific bindings for transport level security and both symmetric and asymmetric key based message level security; (3) Support for many different token types including federated tokens; (4) Mechanism for specifying additional tokens; (5) Support for specifying various WSS 1.0, WSS 1.1 and WS-Trust option..."

  • "WS-SecurityPolicy: il Bignami." By Vittorio Bertocci (Microsoft). From Vibro.NET 'Scatter thoughts'. July 14, 2005. "WS-SecurityPolicy is a very interesting specification. It really shows that it incorporated the feedback of people which actually used WS-Security: it address historical concerns like the order of operations, the role of the tokens (initiator rather than recipient), the protection of elements of the wsse:security header... hey, it even acknowledges that sometimes the security may come from the transport! It gives up some 'mathematical' beauty in favor of a more immediate usage, at the price of a proliferation of the assertions. And it's clear from the property approach that it was designed also with the enforcing stage in mind, besided the checking one. However it got pretty think, it's a 90 pg PDF: and some part of it is inevitably syntactic sugar.

    So I thought it could be useful to pull out a Bignami out of it. 'Bignami' was (is?) a collection of small sub-pocket books, which covered the absolute essentials of various school subject (Math, Latin, Italian, Phisics...) and was especially handy before classworks. I have to warn you, in the shrinking effort I may leave out important things or simplify to the point of being wrong (despite mr. Einstein advice. BTW: I had the pleasure to have tea more than once with mr. Trautman, he's an exquisite person); plus, here it's way past midnight and the usual drowsiness is already clouding my judgement :-) WS-SecurityPolicy describes an assertion framework which covers WSS, WS-Trust and WS-SecueConversation; however it can leverage security features of transport, too. Let's have a short summary of relevant sections..."

Principal References


Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation

Primeton

XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Bottom Globe Image

Document URI: http://xml.coverpages.org/ni2005-07-14-a.html  —  Legal stuff
Robin Cover, Editor: robin@oasis-open.org