Web Service Security Architectures Part II
In my previous article, I highlighted the difficulty in evolving common Web services security architectures using two different Web services interaction scenarios as illustrations. In this last article in this series, we look at WS Security-related initiativesa major architecture effort initially propounded by Microsoft, IBM, and Verisign that has now been submitted to OASIS to become an industry standard.
What Are WS Security Initiatives?
In its present form, WS Security is a specification that defines a set of standard SOAP extensions (or SOAP message headers) to incorporate security information and mechanisms. In other words, WS Security is an attempt to push XML security technologies such as XML encryption and XML digital signatures into the Web services realm by incorporating them within SOAP messages.
The previous article said that incorporating security information within a SOAP header provides flexibility and a uniform security abstraction layer. The WS Security specification fortunately embraces existing standardssuch as XML encryption and XML digital signature specifications by various bodies and consortiawhile proposing these extensions. The specifications stand independent of implementation specifics such as PKI and Kerberos.
What makes the WS initiative even more interesting is that it proposes a roadmap for specifications that are yet to comecovering areas of broader scope such as security policy, privacy, trust, messaging, and federations. In other words, the WS initiative tries to define a very broad canvas for all existing security technologies, as well as those that are going to emerge in the future, to fit in.
This article first looks at the standard SOAP extensions defined by WS Security and then discusses the broader perspectives it attempts to embrace down the line.