Web Services represent data using XML[1] and transmit it by means of SOAP[2]. Many applications which use SOAP have requirements for security services. However, existing security mechanisms do not provide all the capabilities required of these services in a SOAP/XML environment.
2. What is the scope of this effort? What is explicitly out-of-scope, and why?
The scope is message protection in a SOAP environment, specifically Authentication, Data Integrity and Data Confidentiality. It also enables these services, by introducing the abstraction of a Security Token, specifying how Tokens can be distributed in band, and providing a mechanism for referencing both in band and out of band Tokens. Other security services, such as Authorization and Audit Trail are out of scope.
3.Are there existing comparable or overlapping standards, or comparable standardization efforts currently under way (inside or outside OASIS)? How does the work of this technical committee relate to these? What distinguishes this TC from similar work? How do the differences add value?
Transport Layer Security[3] (TLS) and IP Security[4] (IPSec) can be used to provide some of the same services as WS-Security, but there are no existing or under development standards which provide the same capabilities.
4. Is the product of this technical committee intended to be used in conjunction with other standards or complementary technologies? What are these? How does this work relate to these (is the usage of these complements mandatory? optional? restricted or profiled?)
WS-Security is intended to be used in a SOAP messaging environment. It is not applicable to other environments.
It is compatible with other Web Services standards, but their use is not required. Nor is the use of WS-Security required by other non-security Web Service standards. Depending on application requirements, security may not be required, or alternative security mechanisms may be used.
On the other hand, a number of other security-related Web Services specifications build on and extend WS-Security. Examples include: WS-Trust and WS-Secure Conversation.
WS-Security depends on the use of a number of other security standards which it explicitly references. These include XML Digital Signature[5], XML Encryption[6], X.509 PKI[7], Kerberos[8], OASIS SAML[9], ISO/IEC MPEG REL[10] and IETF MIME[11].
5. Can you give some example of concrete applications that will benefit from standardizing the specifications from this TC?
Any Web Services Application which requires message protection would benefit. E-commerce applications are a prominent example.
6. Is it anticipated that TC deliverables will be broadly used, deployed, and/or implemented? Or are the deliverables intended for a narrow audience, possibly including only the TC membership?
WS-Security is already being broadly used.
7. Do you see external factors that should help a broad acceptance and deployment of the specifications from this TC? And factors that may potentially hinder a broad acceptance and deployment?
The use of Web Services for applications where security services are required will tend to drive the use of WS-Security. Where security requirements are less complex, alternatives such as TLS may be used instead.
8. Do you know of companies or industry verticals that have already expressed interest in using the specification(s) produced by the TC in their products or services?
Most organizations which specify the use of Web Services identify WS-Security as the appropriate security standard.
9. Regarding the adoption of this specification(s) by a vendor for its products: is this a decision that vendor companies can make individually, or are the interoperability aspects important enough to require industry-wide, coordinated adoption?
Dozens of vendors have already implemented WS-Security. The benefits of WS-Security require that different products interoperate, however this has been the case for several years.
10. Have the authors and their companies considered further ways to promote the produced specification(s) after completion (PR, marketing, campaigns, industry consortia....)
WS-Security is being promoted as a part of the promotion of the use of Web Services in general. The OASIS WSS TC sponsored an Interoperability Demonstration at the Gartner Conference in April of 2005.
11. What are the security implications, if any, of this effort?
WS-Security is intended to increase the security of SOAP messages passing over a network.
12. What new features are in WS-Security 1.1?
WS-Security 1.1 includes the following new features:
Encrypted SOAP Header