WS-I Releases Basic Security Profile 1.1

 
 
By Darryl K. Taft  |  Posted 2010-03-24
 
 
 

The Web Services Interoperability Organization has delivered an update to its security profile, the WS-I Basic Security Profile 1.1.

WS-I is an "open industry organization" that focuses on establishing best practices for Web services interoperability, the organization said in a news release March 23. "The WS-I Basic Security Profile is an essential guide for ensuring secure, interoperable Web services, based on a set of non-proprietary Web services specifications, along with clarifications and amendments to those specifications that promote interoperability. BSP 1.1 integrates OASIS Web Services Security (WS-Security) 1.1 key encryption and signature features that can improve interoperability of practical secure technologies used in current Web services applications."

"The Basic Security Profile 1.1 is an important update to WS-I's efforts to advance interoperability and security for Web services," David Burdett, chair of the WS-I Board of Directors, said in a statement. "Our thanks go to the WS-I BSP Working Group members who have so successfully collaborated to produce BSP 1.1."

The WS-I statement continued:

"Specifically, BSP 1.1 targets transport and SOAP [Simple Object Access Protocol] message security, and Basic Profile-specific security considerations of Web Services. BSP 1.1 focuses on Web Services Message Security and HTTP over Transport Level Security (TLS). Building on BSP 1.0, BSP 1.1 is based on the key security usage scenarios and requirements identified in WS-I's Security Challenges document, http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf.

BSP 1.1 constrains the use of several common security tokens based on the OASIS Web Services Security (WS-Security) 1.1 and its token profiles. Security tokens profiled include Kerberos, X.509, SAML and Username token.

"The WS-I Basic Security Profile 1.1 builds upon the strong foundation in BSP 1.0 and extends it to cover core security scenarios in WS-Security 1.1," said Paul Cotton, Chair of the BSP Working Group. "We believe security is a top priority for Web services and are pleased with the work we've been able to achieve to provide solid secure, interoperable web services for implementers and consumers."

Concluding a six-month testing effort, six WS-I member companies-Intel, IBM, Layer 7, Microsoft, Oracle and SAP AG-successfully interoperated using BSP 1.1 and contributed to profile enhancements based on their results. The scenarios and test tools are publicly available at http://www.ws-i.org/deliverables/workinggroup.aspx?wg=testingtools for third-party Web services applications to test security interoperability."

The statement continued, "Among the WS-I member companies whose representatives participated in developing BSP 1.1 were BMC Software, Hitachi, HP [Hewlett-Packard], IBM, Layer 7 Technologies, Microsoft, Nokia, Oracle and SAP."

WS-I also said, "BSP 1.1 is available at no charge from the WS-I Web site, at http://www.ws-i.org/deliverables/workinggroup.aspx?wg=basicsecurity."

Rocket Fuel