WS-SecureConversation and WS-Trust Approved as Standards

The following press release was provided regarding the new standards approved by OASIS. Rather than rehash this information, I simply provide you with the press release. It is worht noting the various companies that were involved in seeing these standards approved.

Boston, MA, USA; 27 March 2007 — OASIS, the international standards
consortium, today announced that its members have approved
WS-SecureConversation version 1.3 and WS-Trust version 1.3 as OASIS Standards,
a status that signifies the highest level of ratification. Developed by the
OASIS Web Services Secure Exchange (WS-SX) Technical Committee, these new
standards define policies and extensions to WS-Security that enable the trusted
exchange of multiple SOAP messages.

“In order to secure communication between two parties, both must exchange
security credentials. Before that can take place though, each party needs to
determine if they can ‘trust’ the asserted credentials of the other,” explained
Anne Thomas Manes, research director with the Burton Group. “Applications that
communicate using the Web services framework (e.g., SOAP and WSDL) can use
WS-Trust to obtain and exchange security credentials–either directly or
through a trusted third party–and use WS-SecureConversation to establish and
maintain an extended secure session.”

WS-Trust provides methods for issuing, renewing, and validating security tokens
as well as establishing, detecting, and brokering trust relationships.
WS-SecureConversation allows security contexts to be created and key material
to be exchanged more efficiently. Together, WS-Trust and WS-SecureConversation
can increase the overall performance and security of exchanges.

“We defined the basic mechanisms for providing secure messaging in
WS-Security,” explained Kelvin Lawrence of IBM, co-chair of the OASIS WS-SX
Technical Committee. Lawrence, along with WS-SX co-chair, Chris Kaler of
Microsoft, previously led the WS-Security development effort at OASIS.
“WS-Trust builds upon WS-Security by introducing an XML syntax and a protocol
that enable the issuance and dissemination of credentials between different
trust domains via a Security Token Service (STS).”

“WS-Security focuses on the security of a single message, which is useful in
many situations,” noted Kaler. “WS-SecureConversation adds a security context
authentication model that is extremely beneficial for long-running exchanges.
When two parties are passing multiple rounds of secured messages back and
fourth, the added security and efficiency provided by WS-SecureConversation
becomes essential.”

IBM, Microsoft, and Sun Microsystems have verified successful implementations
of WS-SecureConversation and WS-Trust, in accordance with eligibility
requirements for all OASIS Standards.

Representatives of Adobe, AmberPoint, Axway, BEA Systems, BMC Software, CA,
EDS, Forum Systems, Fujitsu, HP, IBM, IONA, Microsoft, Neustar, Nokia, Nortel,
Novell, Oracle, Progress Software, Red Hat, Ricoh, SAP, SOA Software, Software
AG, Sun Microsystems, Tibco Software, VeriSign, and other members of OASIS
collaborated to develop WS-SecureConversation and WS-Trust.

“The support for this work has been tremendous,” observed Patrick Gannon,
president and CEO of OASIS. “Specifications that were initiated by a few
vendors two years ago have evolved and benefited significantly by participation
from the broader international community. Today, with 90 participants from more
than 40 organizations, WS-SX represents one of the largest Committees at OASIS.
This is an indication, not only of the breadth of input that has gone into
these standards, but also of their ability to meet the needs of the

Participation in the OASIS WS-SX Technical Committee remains open to all, and
OASIS hosts the public ws-sx-dev mailing list for exchanging information on
implementing the standard.

Support for WS-SecureConversation and WS-Trust OASIS Standards

BEA Systems
“The standardization of WS-SecureConversation and WS-Trust is a key step
towards enabling the development of secure SOA services which are highly
efficient and scalable,” said Hal Lockhart, Principal Engineering Technologist,
BEA Systems.

“BMC has been a long time supporter of OASIS and its industry standardization
efforts around Web services. The approval of WS-Trust and WS-Secure
Conversation adds important pieces to the Web services standards puzzle which
will enable customers to enjoy better interoperability between products and
custom developed application and support their Service Oriented Architecture
strategy. BMC looks forward to the adoption of the new standards and the role
it will play in our customer’s Business Service Management infrastructure,”
said Jeff Bohren, Identity Management Business Unit, BMC Software.

“The approval of the WS-Trust and WS-SecureConversation standards represents an
important step in making cross-domain and cross-enterprise Web services more
secure and interoperable. This secure interoperability is essential for
enabling the kinds of Internet-based business relationships that many
organizations are embracing,” said Andy Rappaport, architect for identity and
access management at CA.

“We are pleased to see WS-Trust and WS-SecureConversation become OASIS
Standards. Customers have been asking for an industry standard framework that
supports the requesting and issuing security tokens, brokering of trust
relationships and providing secure messaging semantics that support multiple
message exchanges between parties. In conjunction with the existing WS-Security
standard, these new standards provide the necessary mechanisms to enable a
number of secure Web services-based scenarios that our customers have told us
they want to deploy. IBM already offers support for earlier drafts of WS-Trust
and WS-SecureConversation in many of our WebSphere and Tivoli products, and
these new OASIS Standards will be fully supported across the IBM software
portfolio,” said Karla Norsworthy, vice president, IBM Software Standards.

“Microsoft is pleased with the benefits that WS-SecureConversation 1.3 and
WS-Trust 1.3 can offer the industry. Both standards can engage in secure
communications while adding increased performance and security exchanges,” said
Chris Kurt, Group Product Manager of Connected Systems Division, Microsoft.

“Oracle is deeply committed to helping bring security standards to the market.
The latest standards to come out of the OASIS WS-SX Technical Committee provide
applications with a secure way to communicate with one another and strengthen
the ‘hot-pluggable’ capabilities of Oracle’s comprehensive family of identity
management products,” said Prateek Mishra, director, Security Standards,

“SAP considers WS-SecureConversation and WS-Trust key components for an
enterprise SOA, addressing important security scenarios that are a critical
success factor for the development and integration of business applications. We
are pleased to announce the support of these two security standards in the next
release of SAP NetWeaver. With WS-SecureConversation and WS-Trust, we’ll
enhance our support to securely manage change which is a significant factor in
our customer’s success in adapting to increasingly dynamic business
environments,” said Michael Bechauf, Vice President Industry Standards, SAP.

“The approval of WS-Secure Conversation and WS-Trust as OASIS Standards
represents a significant step in advancing Web service messaging security. As a
charter member of the OASIS WS-Security Technical Committee, we are thrilled at
the group’s progress and look forward to future collaborations,” said Donald
Adams, Vice President, Chief Security Officer and Chief Technology Officer,


OASIS (Organization for the Advancement of Structured Information Standards) is
a not-for-profit, international consortium that drives the development,
convergence, and adoption of e-business standards. Members themselves set the
OASIS technical agenda, using a lightweight, open process expressly designed to
promote industry consensus and unite disparate efforts. The consortium produces
open standards for Web services, security, e-business, and standardization
efforts in the public sector and for application-specific markets. Founded in
1993, OASIS has more than 5,000 participants representing over 600
organizations and individual members in 100 countries.

# # #

More by Author

Must Read