The security standards specify protection mechanisms for valuable Web Services. The main concerns for Web Services security are: message protection - how to make sure that the message contents are not read and/or written while going through the network or intermediate nodes; access control - which principals can access the service and when; and configuration flexibility - which security configuration should be applied for each service invocation.
| Standard | Reference | Status | Standards organization |
Sponsors |
|---|---|---|---|---|
| XML-Signature | [Eastlake02a] | standard | -- | |
| XML-Encryption | [Eastlake02b] | standard | -- | |
| XKMS (XML Key Management Specification) | [HallamBaker05] | standard 2.0 | -- | |
| XAdES (XML Advanced Electronic Signatures) | [Cruellas03] | standard | -- | |
| WS-Security 2004 | [Nadalin04] | standard 1.0 | ||
| WS-Security 2006 | -- | standard 1.1 | ||
| WS-SecurityPolicy | [Kaler05] | proposal 1.1 | ||
| SAML (Security Assertion Markup Language) | -- | standard 1.1 | -- | |
| SAML (Security Assertion Markup Language) | [Cantor04] | standard 2.0 | -- | |
| WS-Trust | [Gudgin05d] | proposal | -- | , ... |
| WS-SecureConversation | [Gudgin05c] | proposal | -- | , ... |
| WS-Federation | [Kaler03] | proposal | -- | , ... |
| REL (Rights Expression Language) | [DeMartini04] | proposal | -- | -- |
| XACML (XML ...) | [Moses05] | proposal | -- | -- |
XML-Signature and XML-Encryption are the two core cryptography standards
for XML documents dealing respectively with digital signatures
and content ciphering. XKMS is about cryptographic key management.
XAdES specifies advanced features like archiving and time-stamping
for XML digital signatures.
WS-Security states how to protect SOAP messages with
XML-Signature and XML-Encryption and how to
transport tokens in headers.
Security tokens are security-related data items,
like cryptographic keys, digital certificates, assertions, etc.
Tokens enable WS-Security to bind to existing security technologies,
like X.509 and Kerberos.
There are currently two WS-Security versions: 1.0 (2004) and 1.1 (2006).
1.1 extends 1.0's XML Schemas, correcting a few problems and adding
security tokens for Kerberos, SAML and REL.
WS-SecurityPolicy is a WS-Policy vocabulary for
specifying security policies.
SAML is a communications protocol and
a XML assertions format for the exchange of
authentication, authorization and attributes information
between different security domains.
WS-Trust defines a trust model for Web Services
based on STS (Security Token Services)
that perform trust brokering.
STSs can emit, renew and validate security tokens
enabling new trust relationships.
WS-SecureConversation specifies how to
establish a secure session
encompassing several messages,
using session keys
for more efficient and robust cryptography.
WS-Federation specifies service federations for
identity, attributes and authorization information
sharing between different trust domains.
REL addresses digital rights management for Web Services.
XACML specifies a flexible
authorization language for Web Services.
[Nadalin04]
Anthony Nadalin, C.K.,
Web Services Security: SOAP Message Security 1.0 (WS-Security 2004),
OASIS, IBM, Microsoft, Verisign, Sun,
2004
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
[HallamBaker05]
Baker, P.H. & Mysore, S.H.,
XML Key Management Specification (XKMS 2.0) Version 2.0,
W3C, Verisign,
2005
http://www.w3.org/TR/2005/REC-xkms2-20050628/
[Cantor04]
Cantor, S.; Kemp, J.; Philpott, R. & Maler, E.,
Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0,
OASIS, Internet2, Nokia, RSA Security, Sun Microsystems,
2004
http://xml.coverpages.org/SAML-core-20-CD-01.pdf
[Cruellas03]
Cruellas, J.C.; Karlinger, G.; Pinkas, D. & Ross, J.,
XML Advanced Electronic Signatures (XAdES),
W3C, UPC, IAIK, Bull, Security and Standards,
2003
http://www.w3.org/TR/2003/NOTE-XAdES-20030220/
[DeMartini04]
DeMartini, T.; Nadalin, A.; Kaler, C.; Monzillo, R. & Baker, P.H.,
Web Services Security Rights Expression Language (REL) Token Profile,
OASIS, ContentGuard, Inc., IBM, Microsoft Corporation, Sun Microsystems, Verisign,
2004
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf
[Eastlake02b]
Eastlake, D. & Reagle, J.,
XML Encryption Syntax and Processing,
W3C,
2002
http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/
[Eastlake02a]
Eastlake, D.; Reagle, J. & Solo, D.,
XML-Signature Syntax and Processing,
W3C,
2002
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
[Gudgin05c]
Gudgin, M. & Nadalin, A.,
Web Services Secure Conversation Language (WS-SecureConversation),
Microsoft, IBM, OpenNetwork, Layer 7, Computer Associates, VeriSign, BEA, RSA Security, Ping Identity, Actional, Computer Associates,
2005
http://www.ibm.com/developerworks/library/specification/ws-secon/
[Gudgin05d]
Gudgin, M. & Nadalin, A.,
Web Services Trust Language (WS-Trust),
Microsoft, IBM, OpenNetwork, Layer 7, Computer Associates, VeriSign, BEA, Oblix, Reactivity, RSA Security, Ping Identity, VeriSign, Actional,
2005
http://www.ibm.com/developerworks/library/specification/ws-trust/
[Housley99]
Housley, R.; Ford, W.; Polk, W. & Solo, D.,
Internet X.509 Public Key Infrastructure,
IEFT,
1999
http://www.ietf.org/rfc/rfc2459.txt
[IBM02]
IBM & Microsoft,
Security in a Web Services World: A Proposed Architecture and Roadmap Version 1.0,
IBM, Microsoft,
2002
http://www.ibm.com/developerworks/library/specification/ws-secmap/
[Kohl93]
J. Kohl, C.N.,
The Kerberos Network Authentication Service (V5),
IETF,
1993
http://www.ietf.org/rfc/rfc1510.txt
[Kaler05]
Kaler, C. & Nadalin, A.,
Web Services Security Policy Language (WS-SecurityPolicy) Version 1.1,
Microsoft, IBM, VeriSign, RSA Security,
2005
http://www.ibm.com/developerworks/library/specification/ws-secpol/
[Kaler03]
Kaler, C. & Nadalin, A.,
Web Services Federation Language (WSFederation) Version 1.0,
OASIS, Microsoft, IBM, VeriSign, BEA, RSA Security, VeriSign,
2003
http://www.ibm.com/developerworks/library/specification/ws-fed/
[Moses05]
Moses, T.,
eXtensible Access Control Markup Language (XACML) Version 2.0,
OASIS, Entrust,
2005
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
[Rescorla00]
Rescorla, E.,
HTTP Over TLS,
IETF,
2000
http://www.ietf.org/rfc/rfc2818.txt
[Schlimmer06]
Schlimmer, J.,
Web Services Policy Framework (WSPolicy) Version 1.2,
Microsoft, IBM, VeriSign, Sonic Software, SAP, BEA Systems,
2006
http://specs.xmlsoap.org/ws/2004/09/policy/ws-policy.pdf
[Schwarz05]
Schwarz, J.; Hartman, B.; Nadalin, A.; Kaler, C.; Davis, M.; Hirsch, F. & Morrison, K.S.,
Security Challenges, Threats and Countermeasures Version 1.0,
WS-I, Microsoft, IBM, Oracle, DataPower, Sarvega, Nokia Corporation, Layer 7,
2005
http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf