SSL is not enough for Web Services, below mentioned are the reasions:
- Intermediaries - SSL provide point-to-point whole message encription. Intermediaries need encription of parts of messages so that part can be read.
- Two-way-authentication - Client side SSL required for two way credential management however is very deficult to manage, hence SSL is not suitable for authenticating all kind of web services clients.
- Authorization - SSL does not handle authorization issues at all.
- Federation - SSL has no mechanism of federation of web services security credentials which is very necessary in distributed web services environments.
