![Close [x]](http://dw1.s81c.com/i/c.gif){kind=small}
The recently updated Web Services Security Policy Language (WS-SecurityPolicy) specification indicates the policy assertions which apply to Web Services Security: SOAP Message Security, WS-Trust, and WS-SecureConversation.
With the re-publication of the WS-SecurityPolicy specification, IBM, Microsoft, and 12 co-authors are committing to submit it and two other security specifications to a worldwide standards body in September. The commitment is a key action on completing the Web Services Security framework and Web Services Security roadmap that IBM and Microsoft created in 2002 to help the industry produce and implement a standards-based architecture that is comprehensive, yet flexible enough to meet the Web services security needs of businesses (see Resources).
Web services are a loosely-coupled, language-neutral, platform-independent way of linking applications within organizations, across enterprises, and across the Internet. A key benefit of the emerging Web services architecture is the ability to deliver integrated, interoperable solutions -- which makes it critical to ensure the integrity, confidentiality, and overall security of these services.
The recently updated Web Services Security Policy Language (WS-SecurityPolicy) specification defines a set of security policy assertions which apply to Web Services Security: SOAP Message Security, WS-Trust, and WS-SecureConversation. This document takes the approach of defining a base set of assertions that describe how messages are to be secured. Flexibility with respect to token types, cryptographic algorithms, and mechanisms used, including using transport-level security, is part of the design and allows for evolution over time. The intent is to provide enough information for compatibility and interoperability to be determined by Web services participants, along with all information necessary to actually enable a participant to engage in a secure exchange of messages.
Get the specification and related material
| Description | Date | Access method |
|---|---|---|
| Web Services Security Policy Language V1.1 specification (PDF, 755 KB) | July, 2005 | HTTP download |
| WS-SecurityPolicy XSD | July 2005 | HTTP Web page |
If you would like to contribute technical comments on this specification, please do so through our Feedback page.
The following three specifications will be submitted to OASIS (Organization for the Advancement of Structured Information Standards):
-
WS-SecurityPolicy: Defines general security policy assertions which apply to Web Services Security: SOAP Message Security, WS-Trust, and WS-SecureConversation.
-
WS-Trust: Defines extensions that build on WS-Security to both provide a framework for requesting and issuing security tokens and broker trust relationships.
- WS-SecureConversation: Defines extensions that build on WS-Security and WS-Trust to provide secure communication across one or more messages. Specifically, this specification defines mechanisms for establishing and sharing security contexts and for deriving keys from established security contexts (or any shared secret).
If you would like to view the earlier version of this specification, click on the following link:
- WS-SecurityPolicy specification draft (December, 2002)
-
"Security in a Web Services World: A Proposed Architecture and Roadmap" defines a comprehensive Web services security model that supports, integrates, and unifies several popular security models, mechanisms, and technologies in a way that enables a variety of systems to securely interoperate in a platform- and language-neutral manner.
- Read the related Web Services Trust specification that explains how trust relationships are defined between Web services.
-
WS-SecureConversation defines extensions that build on WS-Security to provide secure communication.
-
Web Services Addressing defines how to identify services across a network.
-
Web Services Policy Framework defines how to apply policies to control individual services behavior.
-
Web Services Security describes enhancements to SOAP to provide quality of protection through message integrity, confidentiality, and authentication.
