Editing WS-Security (section)

==Features==
WS-Security describes three main mechanisms:
* How to sign SOAP messages to assure integrity. Signed messages also provide [[non-repudiation]].
* How to encrypt SOAP messages to assure confidentiality.
* How to attach security tokens to ascertain the sender's identity.

The specification allows a variety of signature formats, encryption algorithms and multiple trust domains, and is open to various security token models, such as:
* X.509 certificates,
* Kerberos tickets,
* User ID/Password credentials,
* SAML Assertions, and
* custom-defined tokens.
The token formats and semantics are defined in the associated profile documents.

WS-Security incorporates security features in the header of a SOAP message, working in the [[application layer]].

These mechanisms by themselves do not provide a complete security solution for Web services. Instead, this specification is a building block that can be used in conjunction with other Web service extensions and higher-level application-specific protocols to accommodate a wide variety of security models and security technologies. In general, WSS by itself does not provide any guarantee of security. When implementing and using the framework and syntax, it is up to the implementor to ensure that the result is not vulnerable.

Key management, trust bootstrapping, federation and agreement on the technical details (ciphers, formats, algorithms) is outside the scope of WS-Security.