The OASIS Web Services Secure Exchange (WS-SX) technical committee has published specifications for WS-Security extensions and policies to enable the trusted exchange of SOAP messages. Their effort resulted in the WS-SX specifications that include WS-Trust , WS-Security policy and WS-Secure conversation. This standardization of WS-Trust is good news. Gartner says that: OASIS's ratification of two key standards means that Web services security has finally reached a level of maturity acceptable to many enterprises. This is a positive development for vendors and customers alike. The ratification happened in March 2007 and support for these standards was one of the main changes included in the .NET Framework 3.5 release of CardSpace. Overview of new WS-Trust specification The OASIS WS-Trust is very similar to the one people have been using. The main differences are: 1. Returning the security token: a RequestSecurityTokenCollection element is used to return a security token in the final response. 2. SecondaryParameters: When a requestor inserts parameters into an RST request that come from a third party, for example a relying party policy, there is a potential for an attack. In the contributed request, both requestor RST parameters and third party RST parameters are mixed together as direct children of the wst:RequestSecurityToken element. This prevents an STS from differentiating between the RST parameters based on their source. Therefore, the STS trusts both kinds of RST parameters Read More...