[WS-Security] defines the basic mechanisms for providing secure messaging. This specification uses these base mechanisms and defines additional primitives and extensions for security token exchange to enable the issuance and dissemination of credentials within different trust domains.
In order to secure a communication between two parties, the two parties must exchange security credentials (either directly or indirectly). However, each party needs to determine if they can "trust" the asserted credentials of the other party.
In this specification we define extensions to [WS-Security] that provide:(WS-Securityを以下の観点で拡張)
- Methods for issuing, renewing, and validating security tokens.(セキュリティートークンの発行、更新、検証手段)
- Ways to establish, assess the presence of, and broker trust relationships.(信頼関係の確立手段、存在検証手段、仲介手段)
Using these extensions, applications can engage in secure communication designed to work with the general Web services framework, including WSDL service descriptions, UDDI businessServices and bindingTemplates, and [SOAP] messages.
To achieve this, this specification introduces a number of elements that are used to request security tokens and broker trust relationships.
This specification defines a number of extensions; compliant services are NOT REQUIRED to implement everything defined in this specification. However, if a service implements an aspect of the specification, it MUST comply with the requirements specified (e.g. related "MUST" statements).
Section 12 is non-normative.
1.1 Goals and Non-Goals
The goal of WS-Trust is to enable applications to construct trusted [SOAP] message exchanges. This trust is represented through the exchange and brokering of security tokens. This specification provides a protocol agnostic way to issue, renew, and validate these security tokens.
This specification is intended to provide a flexible set of mechanisms that can be used to support a range of security protocols; this specification intentionally does not describe explicit fixed security protocols.
As with every security protocol, significant efforts must be applied to ensure that specific profiles and message exchanges constructed using WS-Trust are not vulnerable to attacks (or at least that the attacks are understood).
The following are explicit non-goals for this document:
• Password authentication
• Token revocation
• Management of trust policies
Additionally, the following topics are outside the scope of this document:
• Establishing a security context token
• Key derivation
The Web services trust specification must support a wide variety of security models. The following list identifies the key driving requirements for this specification:
• Requesting and obtaining security tokens
• Managing trusts and establishing trust relationships
• Establishing and assessing trust relationships