WS-License Associates Security Credentials with SOAP Messages

In the March 7, 2002, edition of .NET UPDATE, I discussed how Web Services Security Language (WS-Security) can make Simple Object Access Protocol (SOAP) communications more secure. One aspect of security lies in associating credentials with messages so that a recipient can identify a message's original sender and determine what type of key the recipient needs to decrypt the message. WS-Security defines the credentials header, which is a framework for including a license with a SOAP message, but doesn't describe the structure of the license information that the header might contain. The license structure is the bailiwick of Web Services License Language (WS-License).

License structure appears more complicated than it actually is. The WS-Security credentials tag contains information—either licenses and credentials or XML signature key information elements—that travels with the SOAP message. XML uses attributes and elements similar to those that HTTP uses; thus, in an XML-based WS-License setup, credentials have three attributes (valueType, encodingType, and xsi:type), and the WS-Security credentials tag can contain an abstract or binary license and testament. The valueType attribute names the credentials, the encodingType attribute notes the encoding format of a binary license (if applicable), and optionally, the xsi:type attribute provides more details about the encoding if such details are necessary for the licensing attached to the SOAP message. These attributes identify the type of credential in the message and the way the message is encrypted so that the recipient can untangle it.

The distinction between abstract and binary credentials and licenses is small. WS-License supports Kerberos (version 5) tickets and X.509 certificates; for X.509 certificates, WS-Security also supports encoding. If X.509 certificates are encoded—as described in the encodingType attribute and, optionally, the xsi:type attribute—the abstract license becomes a binary license, which provides greater security. Collectively, the credentials are the license, which identifies the license's holder and describes the type of key that encrypted the message, and the testament, which proves ownership of the license.

In practical terms, WS-License works as a subset of WS-Security. For example, say that Fred sends a secured SOAP message to Susan. Fred wants to encrypt the certificate he sends Susan. Within the credentials header in the message, Fred uses the binaryLicense tag to issue an X.509 license to Susan so that she can use this license to communicate with him. Fred identifies the encoding for the license with the encodingType attribute and names it with the valueType attribute. After Susan receives the message, she uses the private or session key included in the testament to decrypt the license, then she can use the license to communicate with Fred. WS-License describes the organization of the license and testament information that Fred sends to Susan.

For more information about WS-License, visit the following URL:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/html/ws-license.asp