Editing WS-Security (section)

==Alternative==
In point-to-point situations [[confidentiality]] and [[data integrity]] can also be enforced on Web services through the use of [[Transport Layer Security]] (TLS), for example, by sending messages over [[https|HTTPS]]. WS-Security, however, addresses the wider problem of maintaining integrity and confidentiality of messages until after a message is sent from the originating node, providing so-called [[End-to-end principle|end to end security]].

Applying TLS can significantly reduce the overhead involved by removing the need to encode keys and message signatures into [[XML]] before sending. A challenge in using TLS would be if messages needed to go through an application-level [[proxy server]], as it would need to be able to see the request for routing. In such an example, the server would see the request coming from the proxy, not the client; this could be worked around by having the proxy have a copy of the client's key and certificate, or by having a signing certificate trusted by the server, with which it could generate a key/certificate pair matching those of the client. However, as the proxy is not operating on the message, it does not ensure end-to-end security, but only ensures point-to-point security.