Are there other projects for Web services security in the works beside WS-Security? |
 |
EXPERT RESPONSE FROM: Donald Flinn
|
|
|
| > |
QUESTION POSED ON: 15 July 2003
Are there other projects for Web services security in the works beside WS-Security?
|
|
| > |
There is quite a bit of activity beyond WS-Security. Two Web services security specifications that have been recently released (version 1.0 with work continuing on their next version) are:
- SAML: defines authentication, attribute and authorization assertions and is used as one of the tokens in WS-Security. It also has additional profiles, which define how to use it with HTTP and Browsers.
- XACML: an XML based protocol for authorization. This defines a way to define access control down to the element level in an XML document. It is extensible by means of XSLT to other security protocols. One transform in the specification can the used to integrate XACML with SAML authorization assertions.
In April of last year IBM and Microsoft released a roadmap for Web security Specifications, which you can find at the IBM or Microsoft web site. This roadmap lists a hierarchy of protocols to support Web services security of which WS-Security is the base. Work is ongoing on these specifications and it is anticipated that they will be sent to one of the standards consortium for independent release as a standard in due course. Three of the protocols on which some initial work has been completed, are: (I'm using the descriptions from the Roadmap.)
WS-Policy: will describe the capabilities and constraints of the security (and other business) policies on intermediaries and endpoints (e.g. required security tokens, supported encryption algorithms, privacy rules).
- WS-Trust: will describe a framework for trust models that enables Web services to securely interoperate.
- WS-Privacy: will describe a model for how Web services and requesters state subject privacy preferences and organizational privacy practice statements.
Another three protocols from the same roadmap, which are somewhat further out, are:
- WS-SecureConversation: will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys.
- WS-Federation: will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities.
- WS-Authorization: will describe how to manage authorization data and authorization policies.
These higher-level protocols will be needed as Web services extends to more complex scenarios and general interaction over the Internet.
|
|
|
|
|
|
|
|
Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
|
|
|
|
|
|
|
|
|
|
|
|
