OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

trans-ws message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [trans-ws] RE: WSS

Let me add a few more thoughts to the discussion. (I've been lurking from 
the beginning.)

First, WSS SOAP Security -- the product of the WSS TC -- is now a Committee 
Specification. You should see a message from Karl Best in the next few days 
announcing its public review. Most people call WSS SOAP Security 
"WS-Security", which is the reason why Steve was a little fuzzy on the 
distinction between the two. You can retrieve the spec from here:

WS-Security is the primary SOAP security standard. It defines the SOAP 
header blocks used to convey security information such as digital 
signatures, encryption key information, and security tokens. As Steve said, 
a WS-Security header can carry many different types of security tokens, 
such as userid/password, SAML tokens, X.509 certs, and XrML licenses. The 
bindings for each of these types of tokens are described in complementary 
specifications. These binding specifications are still in draft form, 
though. For example:

Second, I don't think that this team needs to define a security scheme for 
the trans-ws standard. The whole point of developing WS-Security and the 
other WS-* specifications is to take security out of application and 
standards development and to put it into the hands of security administrators.

As part of your standard, you should define the logical operations that you 
want to expose and the schemas for the messages that you will exchange to 
accomplish those operations. In other words, you should be defining only 
<types>, <message>, and <portType> elements in your WSDL files. (SOAP 
headers -- used to pass security credentials -- are specified in the 
<binding> elements. You should not be defining <binding> elements, because 
bindings are specific to an implementation.) You should leave decisions 
about security to the folks that implement the standard. They should 
determine what authentication mechanisms they require for their services.

My recommendation is that you not define any security mechanism, but if you 
think it is a requirement for your specification, you might consider doing 
what the UDDI team did as a catch-all for authentication. They defined an 
optional authentication operation -- get_authToken. It is an 
application-level authentication process rather than message-level 
authentication process. See:

Third, most SOAP implementations support a variety of transport-level 
authentication mechanisms, such as HTTP Basic and HTTP Digest 
authentication, and SSL-based authentication using X.509 certs. An 
increasing number of SOAP implementations also support message-level 
authentication mechanisms using WS-Security. BEA, IBM, Microsoft, Systinet, 
and The Mind Electric currently support WS-Security. A number of add-on 
products, known as XML firewalls or Web services management frameworks, 
also support WS-Security. Examples are from AmberPoint, Confluent, Digital 
Evolution, Forum Systems, Layer 7, Reactivity, WestBridge, and Vordel.

Verisign announced that they would supply an open source implementation of 
WS-Security back in December, but I have not seen the code to date. Sam 
Ruby is initiating a project at Apache to develop one, but it's still in 
the formative stage.

Best regards,
Anne Thomas Manes

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]