Web Services Secure Conversation standard
Web Services Secure Conversation (WS-SecureConversation) is a proposed Organization for the Advancement of Structured Information Standards (OASIS) standard that defines mechanisms for establishing and sharing security contexts, and deriving keys from security contexts, to enable a secure conversation.
The base WS-Security standard from OASIS defines how to digitally sign and encrypt the SOAP message to provide message level protection. The standard also defines how to attach and reference a security token for digital signature and encryption. However, it does not provide session-based protection when a long series of related messages were exchanged. The WS-Security specification focuses on the message authentication model. This approach, while useful in many situations, could be subject to several forms of attack.
The WS-SecureConversation spec introduces the concept of a security context and its usage. The security context token is a new WS-Security token type that represents the security context abstract concept. The token is identified by a URI and consists of negotiated keys as well as other security related properties. The context authentication model authenticates a series of messages and, therefore, addresses these concerns. The context authentication model increases the overall performance and security of the subsequent exchanges, but it requires additional communications when authentication happens prior to normal application exchanges.
Version 1.0 of the OASIS WS-SecureConversation spec defines extensions that build on the WS-Security and Web Services Trust (WS-Trust) standards to provide secure communication across one or more messages.
IBM, Microsoft, and other vendors have been working on the WS-SecureConversation specification since 2004. A draft of this document was jointly published in February, 2005. The WS-SecureConversation draft was submitted to the OASIS Web Service Secure Exchange Technical Committee (WS-SX TC), which was formed in December 2005, along with Web Services Trust (WS-Trust) and WS-Security Policy (WS-SecurityPolicy) drafts in order to begin the standardization process.
A revised V1.1 draft version of the WS-SecureConversation specification standard was submitted to OASIS in February 2005 and further defines the extensions in V1.0. This spec defines extensions to allow security context establishment and sharing, and session key derivation. These extensions allow contexts to be established and potentially more efficient keys or new key material to be exchanged.
The most recent version of the spec standard is version 1.3, which was approved by the WS-SX TC on March 1, 2007. Key requirements in this level of the spec include derived keys and per-message keys, and extensible security contexts. V7.0 of WAS adds support for version 1.3 of WS-SecureConversation, providing improved error handling using the standard fault codes as defined in the specification.
The Web Services Secure Conversation (WS-SecureConversation) standard is a building block used in conjunction with the other Web service and application-specific protocols such as WS-Security and Web Services Trust to accommodate a wide variety of security models and technologies. WS-SecureConversation is built on top of the WS-Security and WS-Trust models to provide secure communication between services. The WS-SecureConversation draft spec describes how to establish a security context token between two parties, and the WS-Trust specification describes how to issue and exchange security tokens.
This WS-SecureConversation draft spec includes extensions to Web services security and:
- Describes the security context token.
- Defines how security contexts are established.
- Describes how security contexts are amended, renewed, and cancelled. Amending context is not supported by WAS.
- How derived keys are computed.
- How to associate a specific security context with an action, if multiple security contexts exist.
WAS supports the client establishing a secured conversation with the target service endpoint.
WAS supports the OASIS V1.1 submission draft, which became available in February 2005. The WAS does not support all of the functions in the submission draft. WAS support of WS-SecureConversation focuses on:
- A security context token that is established between the initiating party and the recipient party.
- The operations that are supported on security context token, such as Issue token, Renew token, and Cancel token.
- The derived key (both explicit and implied)
Secure conversation provided with WAS does not provide support for a security context token (SCT) that is acquired from a third-party trust server, and does not provide support for a security context token that is created by the client.
For information about WS-SecureConversation:
- See the IBM DeveloperWorks Web site.
- See the schema for this specification: WS-SecureConversation schema
- Refer to the following namespace prefixes that are used for WS-SecureConversation: http://schemas.xmlsoap.org/ws/2005/02/sc and http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512
Subtopics
Set the token generator and token consumer to use a specific level of WS-SecureConversation
Related concepts
Web Services Secure Conversation
Trust service
Scoping of Web Services Secure Conversation
Related tasks
Enable secure conversation
Related information
Web Services Secure Conversation Language