The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
SEARCH | ABOUT | INDEX | NEWS | CORE STANDARDS | TECHNOLOGY REPORTS | EVENTS | LIBRARY
SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors
NEWS
Cover Stories
Articles & Papers
Press Releases
CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG
TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps
EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
Created: April 06, 2007.
News: Cover StoriesPrevious News ItemNext News Item

WS-I Basic Security Profile Version 1.0 Published as Final Material.

Contents

The Web Services Interoperability Organization (WS-I) has announced the release of the Basic Security Profile Version 1.0 as Final Material. The Profile consists of a set of non-proprietary Web services specifications, along with clarifications to and amplifications of those specifications which promote interoperability. Publication of BSP 1.0 has been praised by Web Services security experts as a key enabling technology to enhance interoperability and improve security.

The Basic Security Profile Version 1.0 was produced by members of the WS-I Basic Security Profile Working Group, chaire by Paul Cotton. The Basic Security Profile Working Group was chartered to "develop an interoperability profile dealing with transport security, SOAP messaging security and other Basic-Profile-oriented Web services security considerations. The Working Group is developing and selecting a set of usage scenarios and their component message exchange patterns to guide the profiling work. In addition, the Basic Security Profile Working Group will use the WS-I Security Plan Framework, particularly its collection of usage scenarios and use cases, and the WS-I Work Plan for Web Services Security Interoperability as input to its work."

The WS-I Basic Security Profile "is an interoperability profile that addresses transport security, SOAP messaging security, and other security considerations for WS-I's Basic Profile 1.1, Simple SOAP Binding Profile 1.0, and Attachments Profile 1.0.

Specifically, the BSP 1.0 document focuses on the interoperability characteristics of two technologies: HTTP over TLS and Web Services Security: SOAP Message Security. HTTP over TLS is a point-to-point technology that protects the confidentiality of all information that flows over an HTTP connection. Web Services Security: SOAP Message Security provides security protection for SOAP messages and applies even when a message passes through several intermediary waypoints, allowing differing levels of protection for selected portions of a message.

The BSP 1.0 specification describes a way to apply SOAP Message Security to attachments. The BSP 1.0 also incorporates Web Services Security: Username Token Profile, Web Services Security: X.509 Certificate Token Profile, Web Services Security: Kerberos Token Profile, Web Services Security: SAML Token Profile, and Web Services Security: XRML Token Profile.

The WS-I Board of Directors approved the BSP 1.0 Final Material specification after receiving confirmation that five members demonstrated interoperability: IBM, Microsoft, Novell, Oracle, and SAP.

Background to the Security Challenges, Threats and Countermeasures Version 1.0 which defines the requirements for and scope of the Basic Security Profile. This document: (1) identifies security challenges, stated as general security goals or features that inform the selection of specific security requirements in scenarios; (2) identifies the typical threats that prevent accomplishment of each challenge; (3) identifies the typical countermeasures (technologies and protocols) used to mitigate each threat; (4) documents potential usage scenarios and the security challenges and threats that might apply to each — derived from the templates found in the Supply Chain Management Use Cases and WS-I Usage Scenarios documents.

Release of the was accompanied by a 2007-04-03 News Briefing "Industry Organization Discusses Secure and Interoperable Web Services and Unveils News on Profiles." Presenters included Michael Bechauf (WS-I Chairman and President), Paul Cotton (WS-I Basic Security Profile Working Group Chair), and Anne Thomas Manes (Vice President and Research Director, Burton Group). Description: "Secure Web Services are a critical requirement for many enterprises. However, until now, it has been impossible to have Web services that are both interoperable and secure. With multiple standards and a growing array of Web services security methods, it is becoming more difficult to ensure that service-to-service interactions are both interoperable and protected from the unscrupulous. That's why WS-I continues to make security a top priority in its efforts to promote greater Web services interoperability. At this briefing, the presenters discuss the mechanics of secure, interoperable Web services, provide news on WS-I Profiles, and insight into upcoming developments. An open Q&A session follows the conference."

WS-I work now continues within the Reliable Secure Profile Working Group, chaired by Bob Freund (Hitachi). According to the revised WG Charter of 2006-04-21, the Reliable Secure Profile Working Group (RSPWG) will develop the Reliable Secure Profile 1.0 (RSP) to provide interoperability guidance for the following specifications: OASIS WS-ReliableMessaging 1.1, OASIS WS-SecureConversation 1.3, and any normatively referenced specifications, such as IETF RFCs. Prior to commencing profile development, the Working Group will develop requirements and scenarios documents which clearly define interoperability issues that motivate profile guidance. The Working Group shall make every effort to provide for composition with Basic Profile 1.1, Attachments Profile 1.0, Simple SOAP Binding Profile 1.0, and the Basic Security Profiles 1.0 and 1.1. The Working Group shall also coordinate closely with the development of Basic Profile 1.2 and 2.0 and enable similar levels of composition with those profiles." The WS-I Reliable Secure Profile Working Group Usage Scenarios document (Working Group Draft as of 2007-04-05) defines interoperability scenarios that comprise the set of scenarios to be profiled in the RSP 1.0 profile.

BSP 1.0 Bibliographic Information

Basic Security Profile Version 1.0. Final Material. 2007-03-30. This version URI: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0-2007-03-30.html. Previous Version URI: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0-2007-02-20.html. Latest version URI: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html. Edited by Michael McIntosh (IBM), Martin Gudgin (Microsoft), K. Scott Morrison (Layer 7 Technologies, Inc), and Abbie Barbir (Nortel Networks). Administrative contact: secretary@ws-i.org. Copyright © 2002-2007 by The Web Services-Interoperability Organization (WS-I) and Certain of its Members. BSP 1.0 errata, if any, will be published. Feedback on this document should be directed to wsi_secprofile_comment@lists.ws-i.org.

Security Challenges, Threats, and Countermeasures Version 1.0. Final Material. Date: 2005/05/07. 48 pages. This version URI: http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0-20050507.doc. Latest version URI: http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.doc. Edited by Jerry Schwarz (Oracle), Bret Hartman (DataPower), Anthony Nadalin (IBM), Chris Kaler (Microsoft), Mark Davis (Sarvega), Frederick Hirsch (Nokia Corporation), and K. Scott Morrison (Layer 7 Technologies Inc). Copyright © 2002-2005 by The Web Services-Interoperability Organization (WS-I) and Certain of its Members. See the publication announcement.

Excerpts from WS-I Basic Security Profile 1.0

Profile Conformance. "Conformance to the Basic Security Profile 1.0 is defined by adherence to the set of requirements defined for a specific target, within the scope of the Profile. Requirements state the criteria for conformance to the Profile. They typically refer to an existing specification and embody refinements, amplifications, interpretations and clarifications to it in order to improve interoperability. All requirements in the Basic Security Profile 1.0 are considered normative, and those in the specifications it references that are in-scope should likewise be considered normative. When requirements in the Basic Security Profile 1.0 and its referenced specifications contradict each other, the Basic Security Profile 1.0's requirements take precedence for purposes of Profile conformance.

Conformance targets identify what artifacts (e.g., SOAP message, WSDL description, UDDI registry data) or parties (e.g., SOAP processor, end user) requirements apply to. This allows for the definition of conformance in different contexts, to assure unambiguous interpretation of the applicability of requirements, and to allow conformance testing of artifacts (e.g., SOAP messages and WSDL descriptions) and the behavior of various parties to a Web service (e.g., clients and service instances).

Claims of conformance to the Basic Security Profile 1.0 can be made using the following mechanisms, as described in Conformance Claim Attachment Mechanisms, when the applicable Profile requirements associated with the listed targets have been met. The conformance claim URI for the Basic Security Profile 1.0 is " http://ws-i.org/profiles/basic-security/1.0/core ", with the following exceptions, which are associated with specific sections:

  • Transport Layer Mechanisms - "http://ws-i.org/profiles/basic-security/1.0/transport"
  • Username Token - "http://ws-i.org/profiles/basic-security/1.0/username-token"
  • X.509 Certificate Token - "http://ws-i.org/profiles/basic-security/1.0/x.509-certificate-token"
  • REL Token - "http://ws-i.org/profiles/basic-security/1.0/rel-token"
  • Kerberos Token - "http://ws-i.org/profiles/basic-security/1.0/kerberos-token"
  • SAML Token - "http://ws-i.org/profiles/basic-security/1.0/saml-token"
  • Attachment Security - "http://ws-i.org/profiles/basic-security/1.0/swa"

If a claim of conformance is made as described in CCAM to Basic Security Profile 1.0 (" http://ws-i.org/profiles/basic-security/1.0/core "), then the claim MUST also specify which tokens, be they BSP profile tokens or other mutually agreed upon tokens, are supported. The conformance URI for transport level security ("http://ws-i.org/profiles/basic-security/1.0/transport") can be used in isolation or in combination with other conformance URIs...

Security topics. The principal Profile section titles include:

  • 3. Transport Layer Mechanisms: (RFC 2818: HTTP over TLS; RFC 2246: The TLS Protocol Version 1.0; The SSL Protocol Version 3.0)
  • 4. SOAP Nodes and Messages
  • 5. SecurityHeaders
  • 6. Timestamps
  • 7. Security Token References
  • 8. XML-Signature
  • 9. XML Encryption
  • 10. Binary Security Tokens
  • 11. Username Token
  • 12. X.509 Certificate Token
  • 13. REL Token
  • 14. Kerberos Token
  • 15. SAML Token
  • 16. Attachment Security
  • 17. Security Considerations

BSP Version 1.0 Guiding Principles. From Section 1.1: "The Profile was developed according to a set of principles that, together, form the philosophy of the Basic Security Profile 1.0, as it relates to bringing about interoperability. This section documents these guidelines...

  • No guarantee of interoperability: Although it is impossible to completely guarantee the interoperability of a particular service, the Basic Security Profile 1.0 attempts to increase interoperability by addressing the most common problems that implementation experience has revealed to date.

  • Focus profiling effort: The focus of the Basic Security Profile 1.0 is the specifications that are explicitly defined as in-scope for the Basic Security Profile 1.0. Other specifications are profiled to the minimal extent necessary to allow meaningful profiling of the scoped specifications. This allows an in-depth profile of the scoped specifications with reduced constraining of other specifications.

  • Application semantics: Although communication of application semantics can be facilitated by the technologies that comprise the Basic Security Profile 1.0, assuring the common understanding of those semantics is not addressed by it.

  • Testability: When possible, the Basic Security Profile 1.0 makes statements that are testable. However, such testability is not required. Preferably, testing is achieved in a non-intrusive manner (e.g., examining artifacts "on the wire"). Note: Due to the nature of cryptographic security, non-intrusive testing may not be possible.

  • Strength of requirements: The Profile makes strong requirements (e.g., MUST, MUST NOT) wherever feasible; if there are legitimate cases where such a requirement cannot be met, conditional requirements (e.g., MAY, SHOULD, SHOULD NOT) are used. Optional and conditional requirements introduce ambiguity and mismatches between implementations.

  • Restriction vs. relaxation: When amplifying the requirements of referenced specifications (including the Basic Profile 1.0), the Basic Security Profile 1.0 may restrict them, but does not relax them (e.g., change a MUST to a MAY).

  • Multiple mechanisms: If a referenced specification allows multiple mechanisms to be used interchangeably to achieve the same goal, the Basic Security Profile 1.0 selects those that are well-understood, widely implemented and useful. Extraneous or underspecified mechanisms and extensions introduce complexity and therefore reduce interoperability.

  • Future compatibility: When possible, the Basic Security Profile 1.0 aligns its requirements with in-progress revisions to the specifications it references. This aids implementers by enabling a graceful transition, and assures that WS-I does not 'fork' from these efforts. When the Basic Security Profile 1.0 cannot address an issue in a specification it references, this information is communicated to the appropriate body to assure its consideration.

  • Compatibility with deployed services: Backwards compatibility with deployed Web services is not a goal for the Basic Security Profile 1.0, but due consideration is given to it; the Profile does not introduce a change to the requirements of a referenced specification unless doing so addresses specific interoperability issues.

  • Focus on interoperability: Although there are potentially a number of inconsistencies and design flaws in the referenced specifications, the Basic Security Profile 1.0 only addresses those that affect interoperability.

  • Conformance targets: Where possible, the Basic Security Profile 1.0 places requirements on artifacts (e.g., WSDL descriptions, SOAP messages) rather than the producing or consuming software's behaviors or roles. Artifacts are concrete, making them easier to verify and therefore making conformance easier to understand and less error-prone.

  • Lower-layer interoperability: The Profile speaks to interoperability at the web-services layer only; it assumes that interoperability of lower-layer protocols (e.g. TCP, HTTP) and technologies (e.g. encryption and signature algorithms) is adequate and well-understood. WS-I does not attempt to assure the interoperability of these protocols and technologies as a whole. This assures that WS-I's expertise in and focus on Web Services standards is used effectively.

  • Do no harm: Interoperability of security technologies does not in and of itself ensure security, and the act of combining new technologies and protocols is especially susceptible to security threats. The profile takes steps to avoid introducing new security threats.

  • Best Practices: It is not the intent of the Basic Security Profile 1.0 to define security best practices. However, when multiple options exist, we may use known security weaknesses as a means of reducing choice and thus enhancing interoperability. The Basic Security Profile 1.0 will offer non-normative security considerations where the authors deem appropriate; however, these are by no means exhaustive and should not be perceived as a sanctioning of a security best practice.

  • Selected Errata Inclusion: The Basic Security Profile 1.0 restates selected requirements from the WS-Security Errata rather than including the entire Errata by reference, preferring interoperability over strict conformance.

From the WS-I Announcement

From the announcement 2007-04-03: "WS-I Publishes Basic Security Profile 1.0. Adds Security to Interoperable Web Services."

The Web Services Interoperability Organization (WS-I: www.ws-i.org) today announced the publication of the WS-I Basic Security Profile (BSP) 1.0 as final material for public access. BSP 1.0 is an essential guide for ensuring secure, interoperable Web services. The WS-I Basic Security Profile 1.0 builds on the work already completed in WSI's Basic Profile 1.1. BSP1.0 is available from the WS-I Web site, at:

     http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html

"Publishing the WS-I Basic Security Profile 1.0 is a major step toward achieving WS-I's objective of advancing interoperability for secure Web services," said Michael Bechauf, chairman and president of WS-I. "I congratulate the many WS-I members who have worked to make BSP 1.0 a reality."

WS-I is an open industry organization whose members promote Web services interoperability across platforms, operating systems and programming languages.

"An interoperability profile offers valuable guidance to product implementers and application developers regarding the interpretation of a specification," said Anne Thomas Manes, research director and vice president, Burton Group. "A specification typically supports a broad set of requirements and offers a variety of options and approaches, but these options can lead to misinterpretation and result in interoperability challenges. An interoperability profile constrains the options and makes communication easier."

"Security is a concern to any organization operating in the Web services sphere," said Paul Cotton, Chair of the BSP Working Group. "The WS-I Basic Security Profile 1.0 provides a strong foundation for the development of secure, yet interoperable Web services. We in the Working Group are now working on BSP 1.1, which builds upon that strong foundation."

About WS-I

WS-I is an open, industry organization chartered to promote Web services interoperability across platforms, operating systems, and programming languages. The organization unites a diverse community of Web services companies to provide guidance, recommended practices and supporting resources for developing interoperable Web services. For more information, visit www.ws-i.org or email info@ws-i.org.

WS-I Members' Supporting Statements

IBM

"Security is very important to our customers as they develop and deploy Web services based solutions. The WS-I profiles are essential to ensuring that the combinations of these standards are implemented consistently," said Karla Norsworthy, Vice President, IBM Software Standards. "Our implementations of these profiles in IBM software products give customers the needed functionality and the assurance their solutions will work in a heterogeneous environment."

Microsoft

"Microsoft is pleased with the Web services interoperability that WS-I Basic Security Profile (BSP) 1.0 offers to the industry," said Jorgen Thelin, Senior Program Manager for Interoperability Standards, Connected Systems Division at Microsoft, and WS-I Board member. "The completion of BSP 1.0 will help drive the continuing adoption of OASIS WS-Security 1.0 and reinforce the integrity and confidentiality in Web services messaging."

Novell

"Novell is pleased to have participated in demonstrating the interoperability of the WS-I Basic Security Profile 1.0. We believe this profile will significantly advance the development of secure Web Services," said Vijay Rajan, Software Engineer Consultant, Novell.

Oracle

"With the increasing popularity of service-oriented architectures, it is critical for organizations to ensure their Web services are secure," said Prateek Mishra, director, Security Standards, Oracle. "We are pleased that the WS-I Basic Security Profile and its interoperability tests have been finalized, as they underscore Oracle's commitment to making it easier for organizations to implement and secure their service-oriented architectures across heterogeneous environments."

SAP

"The secure interoperation of Web Services is essential for a service-oriented architecture," said David Burdett, SAP Board member for WS-I. "The successful conclusion of interoperability tests carried out prior to declaring the Basic Secure Profile 1.0 as final material demonstrates SAP's commitment to building an open, standards-based platform with SAP NetWeaver."

Commentary on Basic Security Profile 1.0

  • "Web Services Security Document Published. WS-I Technology Backed by Microsoft, IBM, Oracle." By Paul Krill. From InfoWorld (April 03, 2007). "The Web Services Interoperability Organization (WS-I) announced publication of its WS-I Basic Security Profile 1.0, serving as a guide to enable secure, interoperable Web services. 'A specification typically supports a broad set of requirements and offers a variety of options and approaches, but these options can lead to misinterpretation and result in interoperability challenges. An interoperability profile constrains the options and makes communication easier', Anne Thomas Manes said; 'The profiles are intended to address interoperability challenges; the Basic Profile itself has been a help... it was an enormous godsend to the industry'. Five WS-I board members demonstrated interoperated interoperability with the security profile, including IBM, Microsoft, Novell, Oracle and SAP. The profile addresses transport security, SOAP messaging security and other security considerations for WS-I Basic Profile 1.1, Simple SOAP Binding Profile 1.0 and Attachments Profile 1.0. Featured is a focus on interoperability characteristics of HTTP over TLS (Transport Layer Security) and Web Services Security, and SOAP Message Security. HTTP over TLS is a point-to-point technology to protect confidentiality of information flowing over an HTTP connection. Web Services Security: SOAP Message Security provides security protection for SOAP messages. The security profile describes a way to apply SOAP Message Security to attachments. A multitude of technologies is incorporated into the profile, including X.509 Certificate Token Profile and Kerberos Token Profile. WS-I now is working on Reliable Secure Profile 1.0, which is intended to provide for guaranteed message delivery in the appropriate order. It is targeted for completion in the second half of this year. Also on the agenda is Basic Security Profile 1.1, which is based on the Web Services Security 1.1 specification. Basic Security Profile 1.1 is based on version 1.0 of that specification..."

  • "WS-I Posts Final Version of the Basic Security Profile 1.0." By Kelvin Lawrence (IBM). Blog. Wednesday April 04, 2007. "The Web Services Interoperability Organization (WS-I) has published the final version of the Basic Security Profile 1.0. In my opinion, WS-I profiles are a key part of achieving interoperability between Web Services implementations. If providers of tools (that people use to build Web Services) and runtimes (that people use to deploy Web Services) conform to and help people build, WS-I compliant Web Services, then this greatly enhances the likelihood that different Web Services will work well together. The Basic Security Pofile 1.0, which builds upon the WS-I Basic Profile (1.0 and 1.1) and and the Simple SOAP Binding Profile 1.0, makes recommendations on what to use (and what not to use) when working with various security standards while building secure Web Services..."

  • "WS-I Releases Basic Security Profile." By Tony Baer. From Computer Business Review Online (April 04, 2007). "According to Paul Cotton, WS-I Basic Security Profile working group chair, and group manager, web services standards and partners at Microsoft, the draft 1.0 release survived the comment stage with no changes... The Basic Security Profile has interoperability tests for Username, X.509, REL, Kerberos, and SAML tokens. It describes how interoperability for these protocols can be tested within the body of the SOAP message or inside SOAP attachments. The second scenario focuses on testing interoperability of so-called Transport-Level Security (TLS), which relies on HTTPS. This is a method that is already well-used, especially for direct connects between two parties. According to Cotton, it reflects the fact that some users may wish to connect to a web service using well-established web protocols and that you don't always require SOAP messages to connect to a web service. 'People didn't appreciate the fact that the working group actually came out and said that TLS is definitely a counter measure in some cases.' On the horizon, the working group is planning the next version of the profile to support the more recent WES-Security 1.1 version. 'The working group feels that it's technically complete,' said Cotton, adding, 'We need to get interoperability testing done inside WS-I to get it to move on. That work is being done by testing tools and sample apps working group. Obviously if they found bugs we might have to change it.' 'Given the small change between [versions] 1.0 and 1.1, that's not a very high probability,' said Cotton..."

  • "A Practical Guide to Safe And Easy Web Services." By Clint Boulton. From InternetNews.com (April 4, 2007). "... Many companies are considering using Web services but cannot build their own, and the lack of security, interoperability and management as part of a standards framework prohibits businesses from adopting them. WS-I, whose backers Microsoft, IBM, Oracle and others, has been working since 2002 to foment standards that make Web services practical. Burton Group analyst Anne Thomas Manes said BSP 1.0 builds on the Basic Profile 1.1 from WS-I and is designed to make Web services safe and practical over the Internet. The document focuses on the interoperability traits for HTTP over TLS and Web Services Security: SOAP Message Security. Manes said documents such as BSP 1.0 are necessary to remove some of the interoperability stumbling blocks developers run into: "One of the challenges we have with specifications is that specifications are designed to support a lot of different cases and offer a lot of different options; when you're a developer who's trying to implement a particular specification, sometimes it's hard to figure out how to interpret the specifics and the options supplied by a specification. That tends to lead to interoperability challenges." Profiles such as BSP 1.0, Manes said, are a strong indicator that a specification is ready for prime time. So where does WS-I's work fit into the evolving world of Web services standards? Manes said WS-I conceivably lays the groundwork for federation efforts such as Project Liberty's Web Services Framework, which allows business users to associate identity with a service. This would, for example, allow corporate employees to query colleagues' calendar services to schedule meetings..."

  • " New WS-I Profile Meshes SOA Security and Interoperability." By Rich Seeley. From SearchWebServices.com (April 04, 2007). "Since the millennium, the rap on Web services in general and SOAP in particular was that they were not secure, Anne Thomas Manes recalled. However, she said even before OASIS ratified WS-Security two years ago this month, it was possible to make SOAP secure. Making sure secure SOAP technology was interoperable with heterogeneous systems in a service-oriented architecture (SOA) environment is now a problem that BSP solves. She said one of the strengths of the profile is that it covers interoperability for WS-Security and SSL because to be on the safe side, she recommends that her clients use both. The problem of interoperability for SOAP security was not a trivial one, according to Prateek Mishra, director of security standards at Oracle Corp., which contributed to the WS-I profile. The challenge was that security technology has literally hundreds of configurations; people found that there was quite an issue with interoperability. Between partners using messaging middleware from different vendors it was very hard to interoperate without having a lot of agreements between them. And it's not a simple agreement. These agreements would be literally 15 pages of parameters. Web services developers using messaging middleware and tools that support BSP will not have to worry about all that paperwork, Mishra said. The WS-I profiles guide developers through the maze of options and help them implement a given standard in an interoperable manner, Manes said. She goes so far as to advise clients that in most cases they should not try to implement a standard until there is a profile available for it. Along with the new security profile, she recommends that developers look at all the WS-I profiles for the current standards. Paul Cotton, Basic Security Profile Working Group chair, also recommends that Web services developers read the "Security Challenges, Threats and Countermeasures Version 1.0" document his group developed as their first step in creating BSP. "This document was the first thing the working group actually did to analyze what the challenges were that could be presented against Web services, how those manifested as actual threats and what set of counter measures existed out in the technology sphere that could actually be used by Web services developers to handle those threats," Cotton said. "This is a very good introduction. Many people that write to me and ask questions about the security profile often find that their general questions are answered by the Security Challenges document'..."

About the WS-I Basic Security Profile Working Group

According to its Charter statement, the WS-I Basic Security Profile Working Group was formed to "develop an interoperability profile dealing with transport security, SOAP messaging security, and other Basic Profile-oriented security considerations of Web services. The group will develop and select a set of usage scenarios and their component message exchange patterns (MEPs) to guide the profiling work. The Basic Security Profile group will use the WS-I Security Plan Framework document, particularly its collection of usage scenarios and use cases, and the WS-I Work Plan for Web Services Security interoperability as input to its work..."

Deliverables from the Basic Security Profile Working Group: The Basic Security Profile Working Group is developing an interoperability profile dealing with transport security, SOAP messaging security, and other Basic-Profile-oriented Web services security considerations.

The Working Group is developing and selecting a set of usage scenarios and their component message exchange patterns to guide the profiling work. In addition, the Basic Security Profile Working Group will use the WS-I Security Plan Framework, particularly its collection of usage scenarios and use cases, and the WS-I Work Plan for Web Services Security Interoperability as input to its work.

WS-I is an open industry organization chartered to promote Web services interoperability across platforms, operating systems and programming languages. The organization's diverse community of Web services leaders helps customers to develop interoperable Web services by providing guidance, recommended practices and supporting resources. All companies interested in promoting Web services interoperability are encouraged to join the effort.

Specifically, WS-I creates, promotes and supports generic protocols for the interoperable exchange of messages between Web services. In this context, 'generic protocols' are protocols that are independent of any action indicated by a message, other than those actions necessary for its secure, reliable and efficient delivery, and interoperable means suitable for multiple operating systems and multiple programming languages.
Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation

Primeton

XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Bottom Globe Image

Document URI: http://xml.coverpages.org/ni2007-04-06-a.html  —  Legal stuff
Robin Cover, Editor: robin@oasis-open.org