Security has been identified as a critical requirement to broad adoption of Web Services. While some Web Services security requirements, can be met with existing technologies operating at lower protocol layers, many believe there is a need for standardized security mechanisms which provide protections at the SOAP layer. In September of 2002, an OASIS Technical Committee (TC) was formed to develop standards for Web Services Security. The TC received technical submissions, developed by several companies, which formed the starting point for its work. This work is now approaching standardization.

The specifications introduce a new Security header for SOAP, which enables security mechanisms, such as digital signatures, encryption, Authentication and Authorization to be applied. They do this by building on existing standards developed elsewhere, including both XML based ones, e.g. XML Digital Signatures, XML Encryption and SAML, as well as non-XML ones, e.g. X.509 and Kerberos.

However, what they define is a set of basic constructs that may be used and combined in a variety of ways to meet many different potential requirements and usage patterns. To meet the need for a specific and constrained subset to promote interoperability, the Web Services Interoperability Organization (WS-I) chartered a Basic Security Profile Working Group in March of 2003. This group was chartered to produce two deliverables: a set of usage scenarios and a security profile of certain specified security technologies including those being standardized by the OASIS WSS TC.

A draft version of the usage scenarios, which includes security threats, challenges and mechanisms in addition to the actual scenarios, will have become available for general review prior to this conference. The security profile is currently under active development. This talk will give its audience an up to the minute snapshot of the current status of this work.

The talk will:

o review the general history of the development of these specifications,

o summarize the work done in the OASIS WSS TC,

o describe the objectives and work to date of the WS-I BSP WG,

o present the highlights of the usage scenarios document, and

o provide information about the current state and likely future direction of the profile.

This talk is intended for developers, architects, technical managers and CIOs. Some technical concepts will be discussed, but given the time available, the technology will not be explored in any detail.