Web Services Glossary

Editors' Draft $Date: 2004/02/03 08:00:46 $ 2004

This version:
Latest version:
Previous version:
Hugo Haas, W3C
Allen Brown, Microsoft (until June 2002)


This document is a glossary of Web services terms found in the Web Services Architecture [WS Arch]. It is intended for use by Web services spefications in order to refer to a common coherent framework.

Status of this Document

This document is an editors' copy that has no official standing.

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.

This is a public Working Group Note of the Web Services Glossary. It has been produced by the W3C Web Services Architecture Working Group, which is part of the W3C Web Services Activity.

Comments on this document should be discussed on the www-ws-arch@w3.org mailing list (public archive), though the Working Group makes no commitment about addressing the comments.

Patent disclosures relevant to this document may be found on the Working Group's patent disclosure page.

Publication as a Working Group Note does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than 'work in progress.'

Table of Contents

1 Introduction
2 Definitions
3 References


A Acknowledgements (Non-Normative)

1 Introduction

This document contains a list of Web services terms that are part of a coherent framework defined in the Web Services Architecture [WS Arch]. The relationships between the defined terms are defined in the concepts and relationships section of [WS Arch].

Terms are capitalized when it is meaningful, or otherwise are defined in lowercase.

Some definitions in this document are derived verbatim from external documents. In such cases, the source is indicated as a reference, listed in the 3 References section.

2 Definitions


To interact with a system entity in order to manipulate, use, gain knowledge of, and/or obtain a representation of some or all of a system entity's resources. [RFC 2828]

access control

Protection of resources against unauthorized access; a process by which use of resources is regulated according to a security policy and is permitted by only authorized system entities according to that policy. [RFC 2828]

access control information
  1. Any information used for access control purposes, including contextual information. [X.812]

  2. Contextual information might include source IP address, encryption strength, the type of operation being requested, time of day, etc. Portions of access control information may be specific to the request itself, some may be associated with the connection via which the request is transmitted, and others (for example, time of day) may be "environmental". [RFC 2829]

access rights

A description of the type of authorized interactions a subject can have with a resource. Examples include read, write, execute, add, modify, and delete. [WSIA Glossary]

  1. A person or organization that may be the owner of agents that either seek to use Web services or provide Web services.

  2. A physical or conceptual entity that can perform actions. Examples: people; companies; machines; running software. An actor can take on (or implement) one or more roles. An actor at one level of abstraction may be viewed as a role at a lower level of abstraction.


An agent is a program acting on behalf of a person or organization. (This definition is a specialization of the definition in [Web Arch]. It corresponds to the notion of software agent in [Web Arch].)


The quality or state of being anonymous, which is the condition of having a name or identity that is unknown or concealed. [RFC 2828]

  1. The software architecture of a program or computing system is the structure or structures of the system. This structure includes software components, the externally visible properties of those components, the relationships among them and the constraints on their use. (based on the definition of architecture in [Soft Arch Pract])

  2. A software architecture is an abstraction of the run-time elements of a software system during some phase of its operation. A system may be composed of many levels of abstraction and many phases of operation, each with its own software architecture. [Fielding]


A piece of digital information. An artifact may be any size, and may be composed of other artifacts. Examples of artifacts: a message; a URI; an XML document; a PNG image; a bit stream.


An interaction is said to be asynchronous when the associated messages are chronologically and procedurally decoupled. For example, in a request-response interaction, the client agent can process the response at some indeterminate point in the future when its existence is discovered. Mechanisms to do this include polling, notification by receipt of another message, etc.


A distinct characteristic of an object. An object's attributes are said to describe the object. Objects' attributes are often specified in terms of their physical traits, such as size, shape, weight, and color, etc., for real-world objects. Objects in cyberspace might have attributes describing size, type of encoding, network address, etc. [WSIA Glossary]

audit guard

An audit guard is a mechanism used on behalf of an owner that monitors actions and agents to verify the satisfaction of obligations.


Authentication is the process of verifying that a potential partner in a conversation is capable of representing a person or organization.


The process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource. Usually, authorization is in the context of authentication. Once a subject is authenticated, it may be authorized to perform different types of access. [STG]

  1. An association between an interface, a concrete protocol and a data format. A binding specifies the protocol and data format to be used in transmitting messages defined by the associated interface. [WSD Reqs]

  2. The mapping of an interface and its associated operations to a particular concrete message format and transmission protocol.

  3. See also SOAP binding.


A capability is a named piece of functionality (or feature) that is declared as supported or requested by an agent.

  1. A choreography defines the sequence and conditions under which multiple cooperating independent agents exchange messages in order to perform a task to achieve a goal state.

  2. Web Services Choreography concerns the interactions of services with their users. Any user of a Web service, automated or otherwise, is a client of that service. These users may, in turn, be other Web Services, applications or human beings. Transactions among Web Services and their clients must clearly be well defined at the time of their execution, and may consist of multiple separate interactions whose composition constitutes a complete transaction. This composition, its message protocols, interfaces, sequencing, and associated logic, is considered to be a choreography. [WSC Reqs]

  1. A component is a software object, meant to interact with other components, encapsulating certain functionality or a set of functionalities. A component has a clearly defined interface and conforms to a prescribed behavior common to all components within an architecture. [CCA T&D]

  2. A component is an abstract unit of software instructions and internal state that provides a transformation of data via its interface. [Fielding]

  3. A component is a unit of architecture with defined boundaries.


Assuring information will be kept secret, with access limited to appropriate persons. [NSA Glossary]


A collection of properties which may be changed. A property may influence the behavior of an entity.


A transport layer virtual circuit established between two programs for the purpose of communication. [RFC 2616]


To cause a desired change in state. Management systems may control the life cycle of manageable Web services or information flow such as messages.


A Web service conversation involves maintaining some state during an interaction that involves multiple messages and/or participants.


Data that is transferred to establish a claimed principal identity. [X.800]

delivery policy

A delivery policy is a policy that constrains the methods by which messages are delivered by the message transport.

digital signature

A value computed with a cryptographic algorithm and appended to a data object in such a way that any recipient of the data can use the signature to verify the data's origin and integrity. (See: data origin authentication service, data integrity service, digitized signature, electronic signature, signer.) [RFC 2828]


The act of locating a machine-processable description of a Web service-related resource that may have been previously unknown and that meets certain functional criteria. It involves matching a set of functional and other criteria with a set of resource descriptions. The goal is to find an appropriate Web service-related resource.

discovery service

A discovery service is a service that enables agents to retrieve Web services-related resource description.


Any data that can be represented in a digital form. [UeB Glossary]

Electronic Data Interchange (EDI)

The automated exchange of any predefined and structured data for business among information systems of two or more organizations. [ISO/IEC 14662]


A domain is an identified set of agents and/or resources that is subject to the constraints of one of more policies.


Cryptographic transformation of data (called "plaintext") into a form (called "ciphertext") that conceals the data's original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called "decryption", which is a transformation that restores encrypted data to its original state. [RFC 2828]

end point

An association between a binding and a network address, specified by a URI, that may be used to communicate with an instance of a service. An end point indicates a specific location for accessing a service using a specific protocol and data format. [WSD Reqs]


An agent that terminates a message on an inbound interface with the intent of presenting it through an outbound interface as a new message. Unlike a proxy, a gateway receives messages as if it were the final receiver for the message. Due to possible mismatches between the inbound and outbound interfaces, a message may be modified and may have some or all of its meaning lost during the conversion process. For example, an HTTP PUT has no equivalent in SMTP.

Note: a gateway may or may not be a SOAP node; however a gateway is never a SOAP intermediary, since gateways terminate messages and SOAP intermediaries relay them instead. Being a gateway is typically a permanent role, whilst being a SOAP intermediary is message specific.


Property of an interaction whose results and side-effects are the same whether it is done one or multiple times. [RFC 2616]

Safe interactions are inherently idempotent.


An identifier is an unambiguous name for a resource.

initial SOAP sender

The SOAP sender that originates a SOAP message at the starting point of a SOAP message path.


Assuring information will not be accidentally or maliciously altered or destroyed. [NSA Glossary]

loose coupling

Coupling is the dependency between interacting systems. This dependency can be decomposed into real dependency and artificial dependency:

  1. Real dependency is the set of features or services that a system consumes from other systems. The real dependency always exists and cannot be reduced.

  2. Artificial dependency is the set of factors that a system has to comply with in order to consume the features or services provided by other systems. Typical artificial dependency factors are language dependency, platform dependency, API dependency, etc. Artificial dependency always exists, but it or its cost can be reduced.

Loose coupling describes the configuration in which artificial dependency has been reduced to the minimum.

manageable service

A Web service becomes a manageable service with additional semantics, policy statements, and monitoring and control (or management) capabilities (exposed via a management interface) all for the purpose of managing the service.


The utilization of the management capabilities by the management system in order to perform monitoring of values, tracking of states and control of entities in order to produce and maintain a stable operational environment.

management capability

Capabilities that a Web service has for the purposes of controlling or monitoring the service, and that can be exposed to a management system for the sole purpose of managing the service.

management interface

Interface through which the management capabilities of a service are exposed.

management policy

Policy associated with a Web service solely for the purpose of describing the management obligations and permissions for the service.

management semantics

The management semantics of a service augment the semantics of a service with management-specific semantics. These management semantics form the contract between the provider entity and the requester entity that expresses the effects and requirements pertaining to the management and management policies for a service.

  1. A message is the basic unit of data sent from one Web services agent to another in the context of Web services.

  2. The basic unit of communication between a Web service and a requester: data to be communicated to or from a Web service as a single logical transmission. [WSD Reqs]

  3. See also SOAP message.

message correlation

Message correlation is the association of a message with a context. Message correlation ensures that the requester agent can match the reply with the request, especially when multiple replies may be possible.

message exchange pattern (MEP)
  1. A Message Exchanage Pattern (MEP) is a template, devoid of application semantics, that describes a generic pattern for the exchange of messages between agents. It describes the relationships (e.g., temporal, causal, sequential, etc.) of multiple messages exchanged in conformance with the pattern, as well as the normal and abnormal termination of any message exchange conforming to the pattern.

  2. See SOAP message exchange pattern (MEP).

message receiver

A message receiver is an agent that receives a message.

message reliability

Message reliability is the degree of certainty that a message will be delivered and that sender and receiver will both have the same understanding of the delivery status.

message sender

A message sender is the agent that transmits a message.

message transport

A message transport is a mechanism that may be used by agents to deliver messages.


Method by which the sender of data is provided with proof of delivery and the recipient is assured of the sender's identity, so that neither can later deny having processed the data. [INFOSEC Glossary]


An obligation is a kind of policy that prescribes actions and/or states of an agent and/or resource.


A set of messages related to a single Web service action. [WSD Reqs]


An orchestration defines the sequence and conditions in which one Web service invokes other Web services in order to realize some useful function. I.e., an orchestration is the pattern of interactions that a Web service agent must follow in order to achieve its goal.


A permission is a kind of policy that prescribes the allowed actions and states of an agent and/or resource.

permission guard

A permission guard is a mechanism deployed on behalf of an owner to enforce permission policies.

person or organization

A person or organization may be the owner of agents that provide or request Web services.


A policy is a constraint on the behavior of agents or person or organization.

policy guard

A policy guard is a mechanism that enforces one or more policies. It is deployed on behalf of an owner.


A system entity whose identity can be authenticated. [X.811]

privacy policy

A set of rules and practices that specify or regulate how a person or organization collects, processes (uses) and discloses another party's personal data as a result of an interaction.

provider agent

An agent that is capable of and empowered to perform the actions associated with a service on behalf of its owner — the provider entity.

provider entity

The person or organization that is providing a Web service.


A set of formal rules describing how to transmit data, especially across a network. Low level protocols define the electrical and physical standards to be observed, bit- and byte-ordering and the transmission and error detection and correction of the bit stream. High level protocols deal with the data formatting, including the syntax of messages, the terminal to computer dialogue, character sets, sequencing of messages etc. [FOLDOC]


An agent that relays a message between a requester agent and a provider agent, appearing to the Web service to be the requester.

quality of service

Quality of Service is an obligation accepted and advertised by a provider entity to service consumers.

reference architecture

A reference architecture is the generalized architecture of several end systems that share one or more common domains. The reference architecture defines the infrastructure common to the end systems and the interfaces of components that will be included in the end systems. The reference architecture is then instantiated to create a software architecture of a specific system. The definition of the reference architecture facilitates deriving and extending new software architectures for classes of systems. A reference architecture, therefore, plays a dual role with regard to specific target software architectures. First, it generalizes and extracts common functions and configurations. Second, it provides a base for instantiating target systems that use that common base more reliably and cost effectively. [Ref Arch]


Authoritative, centrally controlled store of information.

requester agent

A software agent that wishes to interact with a provider agent in order to request that a task be performed on behalf of its owner — the requester entity.

requester entity

The person or organization that wishes to use a provider entity's Web service.


Property of an interaction which does not have any significance of taking an action other than retrieval of information. [RFC 2616]

security administration

Configuring, securing and/or deploying of systems or applications enabling a security domain.

security architecture

A plan and set of principles for an administrative domain and its security domains that describe the security services that a system is required to provide to meet the needs of its users, the system elements required to implement the services, and the performance levels required in the elements to deal with the threat environment. A complete security architecture for a system addresses administrative security, communication security, computer security, emanations security, personnel security, and physical security, and prescribes security policies for each. A complete security architecture needs to deal with both intentional, intelligent threats and accidental threats. A security architecture should explicitly evolve over time as an integral part of its administrative domain's evolution. [RFC 2828]

security auditing

A service that reliably and securely records security-related events producing an audit trail enabling the reconstruction and examination of a sequence of events. Security events could include authentication events, policy enforcement decisions, and others. The resulting audit trail may be used to detect attacks, confirm compliance with policy, deter abuse, or other purposes.

security domain

An environment or context that is defined by security models and a security architecture, including a set of resources and set of system entities that are authorized to access the resources. One or more security domains may reside in a single administrative domain. The traits defining a given security domain typically evolve over time. [RFC 2828]

security mechanism

A process (or a device incorporating such a process) that can be used in a system to implement a security service that is provided by or within the system.

security model

A schematic description of a set of entities and relationships by which a specified set of security services are provided by or within a system. [RFC 2828]

security policy

A set of rules and practices that specify or regulate how a system or organization provides security services to protect resources. Security policies are components of security architectures. Significant portions of security policies are implemented via security services, using security policy expressions. [RFC 2828]

security policy expression

A mapping of principal identities and/or attributes thereof with allowable actions. Security policy expressions are often essentially access control lists. [STG]

security service

A processing or communication service that is provided by a system to give a specific kind of protection to resources, where said resources may reside with said system or reside with other systems, for example, an authentication service or a PKI-based document attribution and authentication service. A security service is a superset of AAA services. Security services typically implement portions of security policies and are implemented via security mechanisms. [RFC 2828]

  1. A service is an abstract resource that represents a capability of performing tasks that form a coherent functionality from the point of view of providers entities and requesters entities. To be used, a service must be realized by a concrete provider agent.

  2. WSDL service: A collection of end points. [WSD Reqs]

  3. See Web service.

service description

A service description is a set of documents that describe the interface to and semantics of a service.

service interface
  1. A service interface is the abstract boundary that a service exposes. It defines the types of messages and the message exchange patterns that are involved in interacting with the service, together with any conditions implied by those messages.

  2. A logical grouping of operations. An interface represents an abstract service type, independent of transmission protocol and data format. [WSD Reqs]

service intermediary
  1. A service intermediary is a Web service whose main role is to transform messages in a value-added way. (From a messaging point of view, an intermediary processes messages en route from one agent to another.) Specifically, we say that a service intermediary is a service whose outgoing messages are equivalent to its incoming messages in some application-defined sense.

  2. See SOAP intermediary.

service provider

See provider agent and provider entity. See also the discussion about service provider in [WS Arch].

service requester

See requester agent and requester entity. See also the discussion about service requester in [WS Arch].

service role

An abstract set of tasks which is identified to be relevant by a person or organization offering a service. Service roles are also associated with particular aspects of messages exchanged with a service.

service semantics

The semantics of a service is the behavior expected when interacting with the service. The semantics expresses a contract (not necessarily a legal contract) between the provider entity and the requester entity. It expresses the effect of invoking the service. A service semantics may be formally described in a machine readable form, identified but not formally defined, or informally defined via an out of band agreement between the provider and the requester entity.

service-oriented architecture

A set of components which can be invoked, and whose interface descriptions can be published and discovered.


A lasting interaction between system entities, often involving a user, typified by the maintenance of some state of the interaction for the duration of the interaction. [WSIA Glossary]

Such an interaction may not be limited to a single connection between the system entities.


The formal set of conventions governing the format and processing rules of a SOAP message. These conventions include the interactions among SOAP nodes generating and accepting SOAP messages for the purpose of exchanging information along a SOAP message path.

SOAP application

A software entity that produces, consumes or otherwise acts upon SOAP messages in a manner conforming to the SOAP processing model.

SOAP binding

The formal set of rules for carrying a SOAP message within or on top of another protocol (underlying protocol) for the purpose of exchange. Examples of SOAP bindings include carrying a SOAP message within an HTTP entity-body, or over a TCP stream.

SOAP body

A collection of zero or more element information items targeted at an ultimate SOAP receiver in the SOAP message path.

SOAP envelope

The outermost element information item of a SOAP message.

SOAP fault

A SOAP element information item which contains fault information generated by a SOAP node.

SOAP feature

An extension of the SOAP messaging framework typically associated with the exchange of messages between communicating SOAP nodes. Examples of features include "reliability", "security", "correlation", "routing", and the concept of message exchange patterns.

SOAP header

A collection of zero or more SOAP header blocks each of which might be targeted at any SOAP receiver within the SOAP message path.

SOAP header block

An element information item used to delimit data that logically constitutes a single computational unit within the SOAP header. The type of a SOAP header block is identified by the fully qualified name of the header block element information item.

SOAP intermediary

A SOAP intermediary is both a SOAP receiver and a SOAP sender and is targetable from within a SOAP message. It processes the SOAP header blocks targeted at it and acts to forward a SOAP message towards an ultimate SOAP receiver.

SOAP message

The basic unit of communication between SOAP nodes.

SOAP message exchange pattern (MEP)

A template for the exchange of SOAP messages between SOAP nodes enabled by one or more underlying SOAP protocol bindings. A SOAP MEP is an example of a SOAP feature.

SOAP message path

The set of SOAP nodes through which a single SOAP message passes. This includes the initial SOAP sender, zero or more SOAP intermediaries, and an ultimate SOAP receiver.

SOAP node

The embodiment of the processing logic necessary to transmit, receive, process and/or relay a SOAP message, according to the set of conventions defined by this recommendation. A SOAP node is responsible for enforcing the rules that govern the exchange of SOAP messages. It accesses the services provided by the underlying protocols through one or more SOAP bindings.

SOAP receiver

A SOAP node that accepts a SOAP message.

SOAP role

A SOAP node's expected function in processing a message. A SOAP node can act in multiple roles.

SOAP sender

A SOAP node that transmits a SOAP message.


A set of attributes representing the properties of a component at some point in time.


An interaction is said to be synchronous when the participating agents must be available to receive and process the associated messages from the time the interaction is initiated until all messages are actually received or some failure condition is determined. The exact meaning of "available to receive the message" depends on the characteristics of the participating agents (including the transfer protocol it uses); it may, but does not necessarily, imply tight time synchronization, blocking a thread, etc.

system entity

An active element of a computer/network system. For example, an automated process or set of processes, a subsystem, a person or group of persons that incorporates a distinct set of functionality. [RFC 2828]


Transaction is a feature of the architecture that supports the coordination of results or operations on state in a multi-step interaction. The fundamental characteristic of a transaction is the ability to join multiple actions into the same unit of work, such that the actions either succeed or fail as a unit.

ultimate SOAP receiver

The SOAP receiver that is a final destination of a SOAP message. It is responsible for processing the contents of the SOAP body and any SOAP header blocks targeted at it. In some circumstances, a SOAP message might not reach an ultimate SOAP receiver, for example because of a problem at a SOAP intermediary. An ultimate SOAP receiver cannot also be a SOAP intermediary for the same SOAP message.

usage auditing

Service that reliably and securely records usage-related events producing an audit trail enabling the reconstruction and examination of a sequence of events. Usage events could include resource allocation events and resource freeing events.

Web service

There are many things that might be called "Web services" in the world at large. However, for the purpose of this Working Group and this architecture, and without prejudice toward other definitions, we will use the following definition:

A Web service is a software system designed to support interoperable machine-to-machine interaction over a network. It has an interface described in a machine-processable format (specifically WSDL). Other systems interact with the Web service in a manner prescribed by its description using SOAP-messages, typically conveyed using HTTP with an XML serialization in conjunction with other Web-related standards.

3 References

CCA Terms and Definitions, CCA Forum, Kate Keahey (See http://www.acl.lanl.gov/cca/terms.html.)
Architectural Styles and the Design of Network-based Software Architectures, PhD dissertation, R. Fielding, 2000 (See http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm.)
The Free On-line Dictionary of Computing, D. Howe (See http://www.foldoc.org/.)
INFOSEC Glossary
National Information Systems Security (INFOSEC) Glossary, National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, 5 June 1992
ISO/IEC 14662
Information technology -- Open-edi reference model, International Standard, ISO/IEC 14662:1997 (See http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=25154.)
NSA Glossary
NSA Glossary of Terms Used in Security and Intrusion Detection, NSA, April 1998 (See http://www.sans.org/newlook/resources/glossary.htm.)
Soft Arch Pract
Software Architecture in Practice, ISBN 0201199300, L. Bass, P, Clements, R. Kazman, 1997
Ref Arch
Using the Architecture Tradeoff Analysis Method(SM) to Evaluate a Reference Architecture: A Case Study, B. Gallagher, June 2000 (See http://www.sei.cmu.edu/publications/documents/00.reports/00tn007/00tn007.html.)
RFC 2616
Hypertext Transfer Protocol -- HTTP/1.1, IETF RFC 2616, R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee June 1999 (See http://www.ietf.org/rfc/rfc2616.txt.)
RFC 2828
Internet Security Glossary, IETF RFC 2828, R. Shirey, May 2000 (See http://www.ietf.org/rfc/rfc2828.txt.)
RFC 2829
Authentication Methods for LDAP, IETF RFC 2829, M. Wahl, H. Alvestrand, J. Hodges, R. Morgan , May 2000 (See http://www.ietf.org/rfc/rfc2829.txt.)
Security Taxonomy and Glossary, L. Wheeler (See http://www.garlic.com/~lynn/secure.htm.)
SOAP12 Part1
SOAP Version 1.2 Part 1: Messaging Framework, W3C Recommendation, M. Gudgin, M. Hadley, N. Mendelsohn, J-J. Moreau, H. Nielsen, 24 June 2003 (See http://www.w3.org/TR/2003/REC-soap12-part1-20030624/.)
UeB Glossary
UN/CEFACT eBusiness Glossary, UN/CEFACT Working Draft Revision 0.53, 13 December 2002
Web Arch
Architecture of the World Wide Web, First Edition, W3C Working Draft, I. Jacobs, 9 December 2003 (See http://www.w3.org/TR/2003/WD-webarch-20031209/.)
WS Arch
Web Services Architecture, W3C Working Group Note, D. Booth, H. Haas, F. McCabe, E. Newcomer, M. Champion, C. Ferris, D. Orchard, @@ February 2004 (See http://dev.w3.org/cvsweb/~checkout~/2002/ws/arch/wsa/wd-wsa-arch-review2.html.)
WSIA Glossary
Glossary for the OASIS WebService Interactive Applications (WSIA/WSRP), OASIS draft, 3 May 2002 (See http://www.oasis-open.org/committees/wsia/glossary/wsia-draft-glossary-03.htm.)
WSC Reqs
Web Services Choreography Requirements 1.0, W3C Working Draft, D. Austin, A. Barbir, E. Peters, S. Ross-Talbot, 12 August 2003 (See http://www.w3.org/TR/2003/WD-ws-chor-reqs-20030812/.)
WSD Reqs
Web Service Description Requirements, W3C Working Draft, J. Schlimmer, 28 October 2002 (See http://www.w3.org/TR/2002/WD-ws-desc-reqs-20021028/.)
Information processing systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture, ISO 7498-2:1989, ITU-T Recommendation X.800 (1991) (See http://www.itu.int/itudoc/itu-t/rec/x/x500up/x800.html.)
Security Frameworks for Open Systems: Authentication Framework, ITU-T Recommendation X.811 (1995 E), ISO/IEC 10181-2:1996(E) (See http://www.itu.int/itudoc/itu-t/rec/x/x500up/x811.html.)
Security frameworks for open systems: Access control framework, ITU-T Recommendation X.812 (1995 E), ISO/IEC 10181-3:1996(E) (See http://www.itu.int/itudoc/itu-t/rec/x/x500up/x812.html.)

A Acknowledgements (Non-Normative)

This document has been produced by the Web Services Architecture Working Group.

Members of the Working Group are (at the time of writing, and by alphabetical order): Geoff Arnold (Sun Microsystems, Inc.), Mukund Balasubramanian (Infravio, Inc.), Mike Ballantyne (EDS), Abbie Barbir (Nortel Networks), David Booth (W3C), Mike Brumbelow (Apple), Doug Bunting (Sun Microsystems, Inc.), Greg Carpenter (Nokia), Tom Carroll (W. W. Grainger, Inc.), Alex Cheng (Ipedo), Michael Champion (Software AG), Martin Chapman (Oracle Corporation), Ugo Corda (SeeBeyond Technology Corporation), Roger Cutler (ChevronTexaco), Jonathan Dale (Fujitsu), Suresh Damodaran (Sterling Commerce(SBC)), James Davenport (MITRE Corporation), Paul Denning (MITRE Corporation), Gerald Edgar (The Boeing Company), Shishir Garg (France Telecom), Hugo Haas (W3C), Hao He (The Thomson Corporation), Dave Hollander (Contivo), Yin-Leng Husband (Hewlett-Packard Company), Mario Jeckle (DaimlerChrysler Research and Technology), Heather Kreger (IBM), Sandeep Kumar (Cisco Systems Inc), Hal Lockhart (OASIS), Michael Mahan (Nokia), Francis McCabe (Fujitsu), Michael Mealling (VeriSign, Inc.), Jeff Mischkinsky (Oracle Corporation), Eric Newcomer (IONA), Mark Nottingham (BEA Systems), David Orchard (BEA Systems), Bijan Parsia (MIND Lab), Adinarayana Sakala (IONA), Waqar Sadiq (EDS), Igor Sedukhin (Computer Associates), Hans-Peter Steiert (DaimlerChrysler Research and Technology), Katia Sycara (Carnegie Mellon University), Bryan Thompson (Hicks & Associates, Inc.), Sinisa Zimek (SAP).

Previous members of the Working Group were: Assaf Arkin (Intalio, Inc.), Daniel Austin (W. W. Grainger, Inc.), Mark Baker (Idokorro Mobile, Inc. / Planetfred, Inc.), Tom Bradford (XQRL, Inc.), Allen Brown (Microsoft Corporation), Dipto Chakravarty (Artesia Technologies), Jun Chen (MartSoft Corp.), Alan Davies (SeeBeyond Technology Corporation), Glen Daniels (Macromedia), Ayse Dilber (AT&T), Zulah Eckert (Hewlett-Packard Company), Colleen Evans (Sonic Software), Chris Ferris (IBM), Daniela Florescu (XQRL Inc.), Sharad Garg (Intel), Mark Hapner (Sun Microsystems, Inc.), Joseph Hui (Exodus/Digital Island), Michael Hui (Computer Associates), Nigel Hutchison (Software AG), Marcel Jemio (DISA), Mark Jones (AT&T), Timothy Jones (CrossWeave, Inc.), Tom Jordahl (Macromedia), Jim Knutson (IBM), Steve Lind (AT&T), Mark Little (Arjuna), Bob Lojek (Intalio, Inc.), Anne Thomas Manes (Systinet), Jens Meinkoehn (T-Nova Deutsche Telekom Innovationsgesellschaft), Nilo Mitra (Ericsson), Don Mullen (TIBCO Software, Inc.), Himagiri Mukkamala (Sybase, Inc.), Joel Munter (Intel), Henrik Frystyk Nielsen (Microsoft Corporation), Duane Nickull (XML Global Technologies), David Noor (Rogue Wave Software), Srinivas Pandrangi (Ipedo), Kevin Perkins (Compaq), Mark Potts (Talking Blocks, Inc), Fabio Riccardi (XQRL, Inc.), Don Robertson (Documentum), Darran Rolls (Waveset Technologies, Inc.), Krishna Sankar (Cisco Systems Inc), Jim Shur (Rogue Wave Software), Patrick Thompson (Rogue Wave Software), Steve Vinoski (IONA), Scott Vorthmann (TIBCO Software, Inc.), Jim Webber (Arjuna), Prasad Yendluri (webMethods, Inc.), Jin Yu (MartSoft Corp.) .

The people who have contributed to discussions on the www-ws-arch public mailing list are also gratefully acknowledged.