I just noticed that the WS-I SAWG (Sample Applications Working Group) has finally released a Working Group Draft version of the design document that we have been developing against for more than two years now. See http://www.ws-i.org/ for more information.
This was my first effort designing anything with a committee and I have to admit it was a long journey with lots of ups and downs. Marc (when he originally worked for SAP) and I started this process by taking the original WSI Sample Application and creating a threat model. The threat model was then turned into a design document that tried to incorporate many scenarios that would be interesting for testing interoperability across different platforms.
The document has gone through many hands since then but should be a good read for anyone interested in learning how we secured our applications. If you read the document and have feedback please reply to this entry or send an email to mailto:email@example.com.
A working group draft of the WS-I Sample Applications should also be availble from ourselves (on WSE 3.0), and three other vendors in the coming weeks - so stay tuned. This will be Microsoft's second release (we released a draft WSE2.0 version here 12 months ago) - but a lot has changed since then...
One area that we are particularly interested in is wrt our use of X.509 certificates. I am interested to find out how many other people have key management requirements similar to those described in the document. Drop me a note on this blog or at jahogg at microsoft.com if you don't mind. I want to get a sense of how wide spread these requirements are and under what circumstances you do / don't apply the same requirements.