Considering web services security policy compatibility

For most organizations supporting business-to-business (B2B) web services interactions, security is a growing concern. Web services providers and consumers document their primary and alternative security policy requirements and capabilities in security policy files, defined by WS-Policy, WS-SecurityPolicy and WS-Security syntax. To secure message exchanges to the satisfaction of all parties, the security requirements of both web services providers and consumers need to be satisfied. This paper investigates how mutually agreed-upon security policies can be created. An analysis of the policy intersection algorithm highlights its deficiencies for finding mutually compatible policies. The interrelated effect that security policy assertion choices have on each other is identified as an important aspect not yet considered. Over and above security policy assertions, other influence on security policy choices, which may affect the security level supported by the organization, is identified. A proposal is made on how the assertions of two security policies should be considered, in order to create a secure, mutually agreed-upon security policy that will satisfy the requirements of both parties.