WS-* Security Standards: Too Much Of A Good Thing? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:37 AM
Andy Dornan
Andy Dornan

WS-* Security Standards: Too Much Of A Good Thing?

The foundations are complete, but the higher levels are still works in progress.

The SOA world enjoys a, let's say, overabundance of standards, with the Web Services (WS-*) stack in particular seeming to continuously grow to encompass every possible SOAP use case. However, relatively few standards are specifically designed for security, and those that do all build on top of one another. The foundations are now complete and mature, but the higher levels are still works in progress.

  • WS-Security 1.1. Describes how XML Encryption and XML Signature can be applied to SOAP documents or messages. Supported by all vendors and used by all other WS-* standards involving security. The latest version, published in February 2006, will likely be the last, as future enhancements will be included in other standards.
  • WS-SecurityPolicy 1.2. Specifies who is allowed to access a service and how, and restricts the kinds of authentication methods allowed and/or the level of encryption required. It is a subset of WS-Policy, a more general way of expressing a service's capabilities and limitations. Developed by IBM and Microsoft, WS-SecurityPolicy was officially standardized in July 2007 and will eventually be supported by all vendors.
  • WS-SecureConversation 1.3. A means of implementing the policies expressed in WS-SecurityPolicy using WS-Security. The standard was ratified in March 2007, at which point IBM and Sun demonstrated implementations. Other vendors, including Actional, BEA Systems, Cisco, Computer Associates, Layer 7 Technologies, Oracle, Reactivity, RSA Security, and VeriSign, have also pledged support, though few customers are using it at present.
  • WS-Trust 1.3. Uses WS-Security to transfer security tokens, such as passwords, digital certificates and SAML assertions. Non-SOAP Web services have a partial equivalent in XKMS (XML Key Management Specification) and SAML.
  • WS-Federation 1.1. Uses the security tokens transferred in WS-Trust to authenticate to Web services, according to the service's rules as described in WS-SecurityPolicy. Not yet widely used, as SAML provides much of the same functionality. Its main advantage over SAML is Windows support and tight integration with the WS-* stack.
  • Photograph by Tim Flach/Stone/Getty Images

    Return to the story:
    SOA Security: One Treacherous Journey

    We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
    Comment  | 
    Print  | 
    More Insights
    2021 State of ITOps and SecOps Report
    2021 State of ITOps and SecOps Report
    This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
    InformationWeek Is Getting an Upgrade!

    Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

    Blockchain Gets Real Across Industries
    Lisa Morgan, Freelance Writer,  7/22/2021
    Seeking a Competitive Edge vs. Chasing Savings in the Cloud
    Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
    How CIO Roles Will Change: The Future of Work
    Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
    Register for InformationWeek Newsletters
    Current Issue
    Monitoring Critical Cloud Workloads Report
    In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
    White Papers
    Twitter Feed
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
    Sponsored Video
    Flash Poll