[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [trans-ws] Draft specification: Security piece
Here is the security section.
Families are living sanctuaries
This specification relies on OASIS WS-Security standard to provide basic security during a web service transaction taking place between two or more parties. WS-Security provides an end-to-end message level security that achieves 3 goals:
(1) to provide message integrity so that the parties involved can guarantee that the message was not modified while in transit thru various routers. Tickets or certificates are passed using the XML Signature spec.
(2) to provide confidentiality over the message so that the message information cannot be sniffed or read while passing thru or in transit. Confidentiality is implemented using XML Encryption spec. Specifically, WS-Security uses three tags: EncryptedData, EncryptedKey and ReferenceList.
(3) to provide a way to authenticate each party via security tokens such as username/password, kerberos tickets or x.509 certificate. Username/password require pre-knowledge of each other.
The default mechanism which this spec recommends is username/password over SSL.
WS-Security specification provides several methods in which to secure communications. Two systems can conform to the WS-Security spec and still fail to authenticate each other if one system only supports, say, username/password while the other expects digital signatures. Consequently, this specification also recommends WS-SecurityPolicy to specify security policies that define what message integrity it supports, and/or which encryption algorithm it accepts regarding confidentiality.
[Optional] WS-Trust, WS-SecureConversation, WS-Federation, WS-Privacy, and WS-Authorization are not recommended for spec revision.