WS-I Releases Draft of Basic Security Profile

The Web Services Interoperability Organization is asking for feedback from users and developers on the set of specifications, which are based largely on the WS-Security spec recently approved by OASIS.

The Web Services Interoperability Organization (WS-I) on Tuesday announced the release of the working-group draft of the WS-I Basic Security Profile. WS-I officials made the announcement at the Gartner Application Integration and Web Services Summit in Los Angeles. The draft is now available so that users and developers can assess the profile and send feedback to the organization, officials said. The WS-I Basic Security Profile is a set of specifications based largely on the WS-Security specification recently approved by the Organization for the Advancement of Structured Information Standards (OASIS). The profile is designed to address interoperability across transport security, Simple Object Access Protocol (SOAP) messaging security and other security considerations for the Basic Profile 1.0, as well as the Basic Profile 1.1, Simple SOAP Binding Profile 1.0 and Attachments Profile 1.0—all now available for public review as working-group drafts, officials said. Also according to the WS-I, the Basic Security Profile has two main target areas: HTTP over Transport Layer Security (TLS) and Web services security through SOAP message security. WS-I officials said HTTP over TLS is a point-to-point technology that protects the confidentiality of all of the information flowing over an HTTP connection. Meanwhile, the Web services security component provides security protection for SOAP messages and applies even when a message passes through several intermediary waypoints, allowing differing levels of protection for selected portions of a message, WS-I officials said. The Basic Security Profile describes a way to apply SOAP message security to attachments. Ari Bixhorn, Microsoft Corp.s lead product manager for Web services strategy, said Microsoft will support the WS-I Basic Security Profile. "Weve been in the [WS-I Basic Security Profile Working Group] since its inception, and we see this as a fairly significant milestone," Bixhorn said. "Feedback is critical to the success of this effort." Bixhorn said Microsofts Visual Studio already enables developers to adhere to the WS-I Basic Profile 1.0 and that support in the next version of Microsofts Web Services Enhancements (WSE)—WSE 2.0—is being considered, although there will definitely be support in the upcoming version of the companys Web services engine code-named "Indigo." For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. Bob Sutor, director of WebSphere Software at IBM Corp., said the availability of the security profile "is a very good thing." "WS-I continues to be at the forefront, and we applaud the continued industry efforts," he said. The WS-I Basic Security Profile working-group draft can be reviewed on the organizations Web site, and feedback can be submitted here. In addition, the Basic Security Profile includes token profiles such as the Username token profile and the X.509 certificate profile. The working group is planning to add the Kerberos token profile and is considering adding the Security Assertion Markup Language (SAML) token profile and the Extensible Rights Markup Language (XRML) token profile, WS-I officials said. Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page