[Offtopic] WS-1 Basic Security Profile

stephen at melbpc.org.au stephen at melbpc.org.au
Mon Apr 23 03:40:28 EST 2007 

WS-I PUBLISHES BASIC SECURITY PROFILE 1.0

WAKEFIELD, Mass. – April 13, 2007 – The Web Services Interoperability
Organization (http://www.ws-i.org) today announced the publication of the
WS-I Basic Security Profile (BSP) 1.0 as final material for public
access. BSP 1.0 is an essential guide for ensuring secure, interoperable
Web services.

WS-I is an open, industry organization chartered to promote Web services
interoperability across platforms, operating systems, and programming
languages. The organization unites a diverse community of Web services
companies to provide guidance, recommended practices and supporting
resources for developing interoperable Web services. 

For more information, visit <http://www.ws-i.org> or email info at ws-
i.org

WS-I MEMBERS' SUPPORTING STATEMENTS

"Web services are a fundamental advance in the state of the art of
software integration and WS-I is doing a great service to the industry
with their efforts. OAGi was founded in 1994 to promote business software
interoperability and we look forward to bringing the business expertise
of our members to these important efforts. The OAGIS open standard
provides the richest cross industry XML Business Language in the world
and many organizations are deploying it as their canonical model for
application integration within the Web services framework. The marriage
of the Web services framework and the OAGIS XML payloads will enable
organizations to realize the benefits of the service based architectures
they are working so hard to deploy." David Connelly, Chief Executive 
Officer, Open Applications Group 

IBM
"Security is very important to our customers as they develop and deploy
Web services based solutions. The WS-I profiles are essential to ensuring
that the combinations of these standards are implemented consistently,"
said Karla Norsworthy, Vice President, IBM Software Standards. "Our
implementations of these profiles in IBM software products give customers
the needed functionality and the assurance their solutions will work in a
heterogeneous environment."

MICROSOFT
"Microsoft is pleased with the Web services interoperability that WS-I
Basic Security Profile (BSP) 1.0 offers to the industry," said Jorgen
Thelin, Senior Program Manager for Interoperability Standards, Connected
Systems Division at Microsoft, and WS-I Board member. "The completion of
BSP 1.0 will help drive the continuing adoption of OASIS WS-Security 1.0
and reinforce the integrity and confidentiality in Web services messaging.

NOVELL
"Novell is pleased to have participated in demonstrating the
interoperability of the WS-I Basic Security Profile 1.0. We believe this
profile will significantly advance the development of secure Web
Services," said Vijay Rajan, Software Engineer Consultant, Novell.

ORACLE
"With the increasing popularity of service-oriented architectures, it is
critical for organizations to ensure their Web services are secure," said
Prateek Mishra, director, Security Standards, Oracle. "We are pleased
that the WS-I Basic Security Profile and its interoperability tests have
been finalized, as they underscore Oracle's commitment to making it
easier for organizations to implement and secure their service-oriented
architectures across heterogeneous environments."

SAP
"The secure interoperation of Web Services is essential for a service
oriented architecture," said David Burdett, SAP Board member for
WSl. "The successful conclusion of interoperability tests carried out
prior to declaring the Basic Secure Profile 1.0 as final material 
demonstrates SAP's commitment to building an open, standards-based
platform with SAP NetWeaver."
--

Basic Security Profile Version 1.0
Final Material 
2007-03-30

<http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html>

Here's a sample:

6. Timestamps

Web Services Security: SOAP Message Security defines a Timestamp element
for use in SOAP messages. The Profile places the following constraints on
its use: 

6.1 Placement

6.1.1 Not More Than One per Security Header: R3227 A SECURITY_HEADER MUST 
NOT contain more than one TIMESTAMP. 

6.2 Content

6.2.1 Exactly One Created per Timestamp: R3203 A TIMESTAMP MUST contain 
exactly one CREATED. 

This element is REQUIRED and can only be specified once in a Timestamp 
element. Within the SOAP processing model, creation is the instant that 
the Infoset is serialized for transmission. 

For example,

INCORRECT: 

<!-- This example is incorrect because the wsu:Timestamp element is 
missing a wsu:Created child element -->
<wsu:Timestamp wsu:Id="timestamp">
   <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires>
</wsu:Timestamp>

CORRECT: 

<wsu:Timestamp wsu:Id="timestamp">
   <wsu:Created>2001-09-13T08:42:00Z</wsu:Created>
   <wsu:Expires>2001-10-13T09:00:00Z</wsu:Expires>
</wsu:Timestamp>

6.2.2 Not More Than One Expires per Timestamp: R3224 Any TIMESTAMP MUST 
NOT contain more than one EXPIRES. ... <snip>
--

Cheers all ..
Stephen Loosley
Victoria, Australia

More information about the offtopic mailing list