Message level security for web services

Security and web services are consistently reported among the top technologies of interest to businesses. Concerns about security are a major deterrent to companies considering use of the technology. This paper provides a summary of the emerging consensus on security for collaborative business using web services in an open environment. The most common security measure using transport layer security may be sufficient for simple applications. However, for more complex environments, e.g. more than two parties, or multiple web services, complete messages or individual parts of messages may be encrypted and signed to protect the confidentiality and integrity of web service messages. Tokens may also be added to messages to assert claims, e.g. about checks that have been carried out by a trusted authority to confirm identities.

The emerging standards are not prescriptive, leaving a lot of choices up to the system designer. The next few years should see steady progress in research and standardisation communities towards generality and interoperability. A major challenge will be to combine this generality with ease of management of security measures via business-oriented policies. The paper advocates a policy-based approach to specification of security measures based on a clear semantic interpretation for signatures and tokens in order to: increase interoperability of web services developed independently; allow security to be managed and policies to be specified business oriented terms by non-specialist staff.

A unifying semantic reference model would help make sense of the large number of overlapping and partially conflicting security-related web service specifications.