New SOAP Specs Refine Security
Microsoft and IBM were the main backers behind six new specification drafts released last month that provide more sophisticated Web services security.Microsoft and IBM were the main backers behind six new specification drafts released last month that provide more sophisticated Web services security. WS-Trust (Web Services Trust) provides a challenge-response-based framework for exchanging security identifiers between a Web services client and server and for third-party authentication servers to arbitrate this process. WS-SecureConversation describes how a Web services client and server can exchange encryption keys, which can then be used to encrypt Web services requests and responses in a Web services conversation. This is important because it avoids the "WAP gap" problem, where changes in the transport layer result in data being unencrypted at intermediate routers.
WS-Policy Framework, WS-PolicyAssertions and WS-PolicyAttachment work together to provide a policy language that lets Web services servers define what service requirements they provide, allowing customers to select a provider that meets their processing needs. WS-SecurityPolicy uses this policy framework to define a number of security policies, such as required message timeliness and encryption.