Skip to main content

Is WS-Security the best security scheme for a public web service?

No replies
karlgold
Offline
Joined: 2006-09-17

I am doing some research on implementing a public web service that must be as broadly accessible as possible.

Some of the information exchanged by the service will have to be secured. The basic strategies for doing this (some combination of encryption, signing and authentication) are fairly straightforward, but I am unsure whether to use the WS-Security schema or to define a much simpler, more specific security element.

I haven't found a single major web service player (Amazon, Google, Yahoo, Flickr, Salesforce, etc.) that uses WS-Security for their public web services. They all seem to rely on something simpler, using SSL as the transport layer.

I'm feeling like it can't necessarily be a bad thing to imitate the big boys on this. Am I wrong? Am I missing out on significant API and tool support by not using WS-Security?

fwiw, I wrote up a summary of my research here:

http://xocoatl.blogspot.com/2006/09/web-service-security.html

Comments would be much appreciated. Thanks.

Message was edited by: karlgold

Message was edited by: karlgold