| 
 | 
| 13.2. WS-SecureConversationWS-Security is a simple model for message security. It works fine for small numbers of messages exchanged between Web services occasionally. However, WS-Security has two drawbacks when a requester and a Web service engage in a prolonged, multiple-message exchange: 
 WS-SecureConversation solves these problems by doing for WSS:SOAP Message Security what SSL/TSL did for HTTP/TCP-IP. The endpoints use PKI and WS-Security to exchange a session-specific set of keys. This allows for more efficient encryption and improved security for keys. The key concepts in WS-SecureConversation are the Security Context and the Security Context Token (SCT). WS-SecureConversation defines the format and schema for an SCT. WS-SecureConversation also defines an extended binding of WS-Trust, which allows Secure Token Servers to generate and return SCTs. In another model, a Web service requester can itself generate an SCT. Messages within a conversation contain the SCT in a header included by the sending Web service. The SCT contains or implies a shared secret. The requesting Web service obtains the secret from an STS in a RSTR, and then forwards the secret (encrypted) to another service. WS-SecureConversation documents algorithms for using the shared secret to derive session keys to be used for encrypting communication exchanged within the conversation. | 
| 
 | 
![Web Services Platform Architecture(c) SOAP, WSDL, WS-Policy, WS-Addressing, WS-BP[.  .. ] More Web Services Platform Architecture(c) SOAP, WSDL, WS-Policy, WS-Addressing, WS-BP[.  .. ] More](/icons/blank_book.jpg)