[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: WSS
Attached is a mail from Steve Anderson, who is one of the officers on the WSS OASIS TC. --------------------------------------------- Stephen Flinter Connect Global Solutions [t] +353 (0)1 882 9038 [f] +353 (0)1 882 9050 [m] +353 87 798 1228 [e] email@example.com [w] www.connectcgs.com -------------------------------------------- ----- Forwarded by Stephen Flinter/Connect on 18/09/2003 11:37 ----- "Steve Anderson" <sanderson@openne To: <Stephen.Flinter@connectcgs.com>, <firstname.lastname@example.org>, <email@example.com> twork.com> cc: Subject: RE: WSS 16/09/2003 15:54 I am involved in both the WSS TC and the SS TC (responsible for producing SAML), so I'll chime in here. Not being familiar with the work of your TC, I'll just take your statements about what you need at face value. Looks like you need to "secure" web service communications between a client and a provider. Fair enough. That is just what WSS aims to do. It describes how to apply XML Signature and XML Encryption to SOAP messages, and how to bind security tokens to those messages. In some ways, it does at the message layer what SSL does at the transport layer. Security tokens may express identity information, attribute information, authorization information, etc. SAML is one form of security token in this context, as are X.509 certificates, Kerberos tickets, username/password combinations, XrML licenses, and more that could be defined. So I wouldn't go so far as to say that BOTH WSS and SAML are required for your situation, but rather WSS and some set of (1 or more) token types (and that is still assuming you want to apply security at the message layer). As for WSS vs. WS-Security, some will focus on the distinctions and some won't. There was a document, WS-Security, that was written by Microsoft/IBM/VeriSign that lead to the formation of this WSS TC. We are making changes to the work from that document and producing a set of WSS-* documents, which will ultimately be designated as an OASIS standard. Hope this helps. -- Steve -----Original Message----- From: Stephen.Flinter@connectcgs.com [mailto:Stephen.Flinter@connectcgs.com] Sent: Tuesday, September 16, 2003 8:01 AM To: firstname.lastname@example.org; email@example.com; Steve Anderson Subject: WSS All, I am contacting you on behalf of the Translation-WS OASIS group (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trans-ws) regarding security. Currently we're examining the various options we have for securing the web service communication between the client and the service provider. I have been in touch with Eve Maler of the SAML group, and she suggested that I get in touch with your group also.