This document proposes a security mechanism for web services using a Security Token Service (STS). It introduces STS to provide security at the message level rather than just the transport level. The proposed STS-based architecture includes a Central Authority to manage certificates, an STS server to issue and validate security tokens for transactions, and a trust domain where parties comply with common rules. The mechanism involves services registering with the domain, finding each other via UDDI, the requestor obtaining a security token from STS, and then requesting the service securely. This architecture aims to provide higher security and performance for web services compared to existing specifications.