Microsoft and IBM were the main backers behind six new specification drafts released last month that provide more sophisticated Web services security.
WS-Trust (Web Services Trust) provides a challenge-response-based framework for exchanging security identifiers between a Web services client and server and for third-party authentication servers to arbitrate this process.
WS-SecureConversation describes how a Web services client and server can exchange encryption keys, which can then be used to encrypt Web services requests and responses in a Web services conversation. This is important because it avoids the “WAP gap” problem, where changes in the transport layer result in data being unencrypted at intermediate routers.
WS-Policy Framework, WS-PolicyAssertions and WS-PolicyAttachment work together to provide a policy language that lets Web services servers define what service requirements they provide, allowing customers to select a provider that meets their processing needs. WS-SecurityPolicy uses this policy framework to define a number of security policies, such as required message timeliness and encryption.