1. What is the rationale behind this
standardization effort? What is
the motivation of the sponsors/authors?
Web Services represent data using XML
[1] and
transmit it by means of
SOAP
[2]. Many applications which use SOAP have
requirements for
security services. However, existing security mechanisms do not provide
all the capabilities required of these services in a SOAP/XML
environment.
2. What is the scope of this effort? What is explicitly out-of-scope,
and why?
The scope is message protection in a SOAP environment, specifically
Authentication, Data Integrity and Data Confidentiality. It also
enables these services, by introducing the abstraction of a Security
Token, specifying how Tokens can be distributed in band, and providing
a mechanism for referencing both in band and out of band Tokens. Other
security services, such as Authorization and Audit Trail are out of
scope.
3.Are there existing comparable or overlapping standards, or comparable
standardization efforts currently under way (inside or outside OASIS)?
How does the work of this technical committee relate to these? What
distinguishes this TC from similar work? How do the differences add
value?
Transport Layer Security
[3] (TLS) and IP Security
[4] (IPSec) can be
used to provide some of the same services as WS-Security, but there are
no existing or under development standards which provide the same
capabilities.
4. Is the product of this technical committee intended to be used
in conjunction with other standards or complementary technologies? What
are these? How does this work relate to these (is the usage of these
complements mandatory? optional? restricted or profiled?)
WS-Security is intended to be used in a SOAP messaging environment. It
is not applicable to other environments.
It is compatible with other Web Services standards, but their use is
not required. Nor is the use of WS-Security required by other
non-security Web Service standards. Depending on application
requirements, security may not be required, or alternative security
mechanisms may be used.
On the other hand, a number of other security-related Web Services
specifications build on and extend WS-Security. Examples include:
WS-Trust and WS-Secure Conversation.
WS-Security depends on the use of a number of other security standards
which it explicitly references. These include XML Digital Signature
[5],
XML Encryption
[6], X.509 PKI
[7],
Kerberos
[8], OASIS SAML
[9],
ISO/IEC
MPEG REL
[10] and IETF MIME
[11].
5. Can you give some example of concrete applications that will benefit
from standardizing the specifications from this TC?
Any Web Services Application which requires message protection would
benefit. E-commerce applications are a prominent example.
6. Is it anticipated that TC deliverables will be broadly used,
deployed, and/or implemented? Or are the deliverables intended for a
narrow audience, possibly including only the TC membership?
WS-Security is already being broadly used.
7. Do you see external factors that should help a broad
acceptance and deployment of the specifications from this TC? And
factors that may potentially hinder a broad acceptance and deployment?
The use of Web Services for applications where security services are
required will tend to drive the use of WS-Security. Where security
requirements are less complex, alternatives such as TLS may be used
instead.
8. Do you know of companies or industry verticals that have already
expressed interest in using the specification(s) produced by the TC in
their products or services?
Most organizations which specify the use of Web Services identify
WS-Security as the appropriate security standard.
9. Regarding the adoption of this specification(s) by a vendor
for its products: is this a decision that vendor companies can make
individually, or are the interoperability aspects important enough to
require industry-wide, coordinated adoption?
Dozens of vendors have already implemented WS-Security. The benefits of
WS-Security require that different products interoperate, however this
has been the case for several years.
10. Have the authors and their companies considered further ways to
promote the produced specification(s) after completion (PR, marketing,
campaigns, industry consortia....)
WS-Security is being promoted as a part of the promotion of the use of
Web Services in general. The OASIS WSS TC sponsored an Interoperability
Demonstration at the Gartner Conference in April of 2005.
11. What are the security implications, if any, of this effort?
WS-Security is intended to increase the security of SOAP messages
passing over a network.
12. What new features are in WS-Security 1.1?
WS-Security 1.1 includes the following new features:
- Encrypted SOAP Header
- Token Reference to Encrypted Key
- Signature Confirmation
- Password-based Key Derivation
- Thumbprint References
In addition, the text has been updated with errata and
clarifications. Also the Attachments Profile and the Kerberos Token
Profile are published for the first time.