Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are there other projects for Web services security in the works beside WS-Security?

Are there other projects for Web services security in the works beside WS-Security?
There is quite a bit of activity beyond WS-Security. Two Web services security specifications that have been recently released (version 1.0 with work continuing on their next version) are:
  • SAML: defines authentication, attribute and authorization assertions and is used as one of the tokens in WS-Security. It also has additional profiles, which define how to use it with HTTP and Browsers.
  • XACML: an XML based protocol for authorization. This defines a way to define access control down to the element level in an XML document. It is extensible by means of XSLT to other security protocols. One transform in the specification can the used to integrate XACML with SAML authorization assertions.
In April of last year IBM and Microsoft released a roadmap for Web security Specifications, which you can find at the IBM or Microsoft web site. This roadmap lists a hierarchy of protocols to support Web services security of which WS-Security is the base. Work is ongoing on these specifications and it is anticipated that they will be sent to one of the standards consortium for independent release as a standard in due course. Three of the protocols on which some initial work has been completed, are: (I'm using the descriptions from the Roadmap.)
  • WS-Policy: will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms, privacy rules).
  • WS-Trust: will describe a framework for trust models that enables Web services to securely interoperate.
  • WS-Privacy: will describe a model for how Web services and requesters state subject privacy preferences and organizational privacy practice statements.
Another three protocols from the same roadmap, which are somewhat further out, are:
  • WS-SecureConversation: will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys.
  • WS-Federation: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities.
  • WS-Authorization: will describe how to manage authorization data and authorization policies.
These higher-level protocols will be needed as Web services extends to more complex scenarios and general interaction over the Internet.

Dig Deeper on Topics Archive

Boubez: SOA virtualization, SLAs and access control policy In part 1 of this interview with Toufic Boubez, chief technology officer for XML networking vendor Layer 7 Technologies Inc., he said the WS-Policy standard work at W3C is complete and that standard is being implemented. In part 2, he explains that there is still work to be done on specifications for policy languages expressing access control and service level agreements (SLAs) within WS-Policy. Boubez, co-author of the original UDDI specification, worked as an editor on the W3C working group that completed the WS-Policy specification this past summer. Now he is working informally with other vendors to provide the security, access control and federation specifications for SOA. He also discussed virtualization as it related to SOA.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.