WS-Security
WS-Security is a proposal for adding message-layer security to SOAP messages, defining standardized locations and syntax by which security tokens (such as X.509 certificates and Kerberos tickets) can be carried within SOAP Headers in order to secure the contents of the SOAP messages.
WS-Security leverages the existing XML Digital Signature and XML Encryption specifications for capturing the results of, respectively, signing and encryption operations in XML syntax. In essence, WS-Security will standardize where the XML Signature and XML Encryption data blocks are carried within a SOAP message.
Why is it needed?
Security mechanisms like TLS (Transport Layer Security) are insufficient for securing Web Services. Since TLS creates a secure channel through which messages flow, it is incapable of differentiated protection, e.g. encrypting and/or signing only particular components of those messages. This is relevant when non-sensitive portions of the message need to be accessed or changed by intermediate actors. Additionally, in a scenario where a SOAP message might flow through multiple actors, TLS is incapable of providing end-to-end protection; TLS only allows each ‘hop’ to be protected-with the resultant security gaps at intermediate actors.
Status
A new OASIS Technical Committee was formed in August 2002 to oversee the standardization of the WS-Security proposal.
Entrust Support for WS-Security
Entrust supports XML Signature and XML Encryption, which are fundamental building blocks for WS-Security, with Entrust Certificate Authority's Security Toolkit for Java.