@techreport{bhargavan2004secure, author = {Bhargavan, Karthik and Corin, Ricardo and Fournet, Cédric and Gordon, Andy}, title = {Secure Sessions for Web Services}, year = {2004}, month = {October}, abstract = {WS-Security provides basic means to secure SOAP traffic, one envelope at a time. For typical web services, however, using WS-Security independently for each message is rather inefficient; besides, it is often important to secure the integrity of a whole session, as well as each message. To these ends, recent specifications provide further SOAP-level mechanisms. WS-SecureConversation introduces security contexts, which can be used to secure sessions between two parties. WS-Trust specifies how security contexts are issued and obtained. We develop a semantics for the main mechanisms of WS-Trust and WS-SecureConversation, expressed as a library for TulaFale, a formal scripting language for security protocols. We model typical protocols relying on these mechanisms, and automatically prove their main security properties. We also informally discuss some limitations of these specifications.}, publisher = {ACM Press}, url = {http://approjects.co.za/?big=en-us/research/publication/secure-sessions-for-web-services/}, pages = {56-66}, isbn = {1-58113-973-X}, edition = {2004 ACM Workshop on Secure Web Services (SWS 2004)}, number = {MSR-TR-2004-114}, note = {2004 ACM Workshop on Secure Web Services (SWS 2004)}, }