Web Services Security Stack: the Big Picture
I mentioned earlier that the WS group tries to provide room for all other related technologies and specifications to fit together to deliver a bigger, allencompassing solution. To achieve this, the group proposes a security stack model, in which various areas fit together.
Figure 3 Web services security stack, as proposed by IBM/Microsoft.
From the initial SOAP extensions, WS Security proposes to cover business issues (such as trust, policy, and privacy) and to eventually encompass more complex areas such as secure conversations across Web services, trusted Web services federations, and authorization. While moving forward like this, WS will use the fundamental building blocks of Web services stack such as SOAP and WSDL. The corresponding initiatives will be named WS-Trust, WS Policy, etc.
The Microsoft/IBM white paper proposes to come out with initial specifications for the first four stacks (WS Security, WS Policy, WS Trust, and WS Privacy) before moving on to the next stack.
As of this writing, only WS Security specifications (in Figure 3, the block on the bottom) have been defined and submitted to OASIS. In the near future, we can expect other specifications to slowly emerge.