Web Services Security Standards

Because Web-services solutions are implemented using standards-based technologies, it is important to adopt standards-based security mechanisms that facilitate and support interoperability and remain independent of operating systems, application infrastructures, and programming languages.

With participation from leading technology companies, industry-standard initiatives on Web-services security specifications are under way. The most prominent XML security specifications for Web services, currently available as final or in progress with various standards bodies, are as follows:

• XML Signature (XML DSIG)

• XML Encryption (XML ENC)

• XML Key Management Services (XKMS)

• OASIS Web Services Security (WS-Security)

Based on these specifications, a long list of technology vendors provide security infrastructure solutions for XML-based Web services. In addition to the preceding standards, the following specifications provide support for Web services, particularly in identity management.

• Security Assertions Markup Language (SAML)

• XML Access Control Markup Language (XACML)

• Service Provisioning Markup Language

• Extensible Rights Management Language (XrML)

• XML Common Biometric Format (XCBF)

These supporting specifications on identity management are discussed in Chapter 7, "Identity Architecture and Its Technologies."

Let's now take an in-depth look at these core Web services security specifications and usage scenarios.