WS-Security specification - a chronology (WAS v5 apps)
This chronology describes the process that has been used to develop the WS-Security specifications. The chronology includes both the OASIS and non-OASIS activities.
Non-OASIS activities
There is an important distinction between V5.x and V6.0.x applications. The information in this article supports V5.x applications only that are used with WAS Version 6.0.x and later. The information does not apply to Version 6.0.x applications.
In April 2002, IBM, Microsoft, and VeriSign proposed the WS-Security specification on their Web sites. This spec included the basic ideas of security token, XML signature, and XML encryption. The spec also defined the format for user name tokens and encoded binary security tokens. After some discussion and an inter-operability test that was based on the specification, the following issues were noted:
- The spec requires that the WS-Security processors understand the schema correctly so that the processor distinguishes between the ID attribute for XML signature and XML encryption.
- The freshness of the message, which indicates whether the message complies with predefined time constraints, cannot be determined.
- Digested password strings do not strengthen security.
In August 2002, IBM, Microsoft, and VeriSign published the WS-Security Addendum, which attempted to address the previously listed issues.
The following solutions were put in the addendum:
- Require a global ID attribute for XML signature and XML encryption.
- Use time stamp header elements that indicate the time of the creation, receipt, or expiration of the message.
- Use password strings that are digested with a timestamp and nonce (randomly generated token).
OASIS activities
In June 2002, OASIS received a proposed WS-Security spec from IBM, Microsoft, and Verisign. The WS-Security Technical Committee (WSS TC) was organized at OASIS soon after the submission. The technical committee included many companies including IBM, Microsoft, VeriSign, Sun Microsystems, and BEA Systems.
In September 2002, WSS TC published its first specification, WS-Security Core Specification, Working Draft 01. This spec included the contents of both the original WS-Security specification and its addendum.
The coverage of the technical committee became larger as the discussion proceeded. Since the WS-Security Core Specification allows arbitrary types of security tokens, proposals were published as profiles. The profiles described the method for embedding tokens, including Security Assertion Markup Language (SAML) tokens and Kerberos tokens imbedded into the WS-Security messages. Subsequently, the definitions of the usage for user name tokens and X.509 binary security tokens, which were defined in the original WS-Security Specification, were divided into the profiles. WAS supports the following specifications:
- WS-Security: SOAP Message Security Draft 13 (formerly WS-Security Core Specification)
- WS-Security: Username Token Profile Draft 2
The following figure shows the various WS-Security-related specifications. As indicated in the figure, the current support level for WS-Security: SOAP message security is based on Draft
13 from May 2003. The current support level for WS-Security user name token profiles, is based on Draft 2 from February 2003. Figure 1. WS-Security spec support
Related concepts
WS-Security and Java EE security relationship
WS-Security model in WAS
Related
WS-Security support
Related information
Secure Web services for V5.x applications based on WS-Security