Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Applications /

Trio submits Web service security spec to OASIS, gains Sun's support

Today's breaking news
Send to a friendFeedback

Advertisement:

By John Fontana
Network World Fusion, 06/27/02

Just two months after creating a specification to address security for Web services, IBM, Microsoft and VeriSign Thursday submitted that specification to a standards body and gained the support of a noted rival - Sun.

The WS-Security specification, developed by the trio, has been accepted for review by the Organization for the Advancement of Structured Information Standards (OASIS).

The inclusion of Sun in the standards work should help streamline the ongoing work on Web services security, which has been identified as a major weakness of the evolving technology.

"We think this submission shows our momentum and belays the perceived fragmentation of the industry," said Steven VanRoekel, director of Web services marketing for Microsoft.

Advertisement:

WS-Security outlines how to integrate disparate security systems such as Kerberos or public-key infrastructure using a set of extensions to the Simple Object Access Protocol. The initial specification includes two base extensions and there are plans to develop six others.

Baltimore Technologies, BEA Systems, Cisco, Documentum, Entrust, Intel, IONA, Netegrity, Novell, Oblix, OpenNetwork, RSA Security, SAP, Sun and Systinet will all join the OASIS development effort on WS-Security.

Sun's participation is noteworthy. The company has refused to participate in the Web Services Interoperability Organization, which was formed by IBM and Microsoft and focuses on interoperability, unless it is included as a founding member.

This week, Sun along with BEA Systems, Intalio, and SAP announced an XML-based specification it plans to submit to a standards body in the future called Web Service Choreography Interface (WSCI).

WSCI is a workflow specification describing the flow of messages exchanged by a Web service in a particular process. IBM and Microsoft also are working independently on workflow specifications for Web services.

But on the issue of security, IBM, Microsoft and Sun will now be working together under OASIS.

"The fact that they are offering this under a royalty-free license and that they submitted it to a recognized standards body cleared the way for us to participate," a Sun spokesman said.

In addition to Sun, the open-source community will also get in on the act. VeriSign will post the source code for an implementation of WS-S on SourceForge.net. The VeriSign implementation will included a set of APIs that give developers a standardized set of interfaces, using the WS-S specification, for building Web services that can send and receive signed and encrypted messages.

WS-Security will allow Web services to pass secure and signed messages, a process that today requires a patchwork of proprietary technology.

Ironically, two of the core standards used in the specification - XML Signature and XML encryption - were created by the World Wide Web Consortium (W3C), another standards body working on XML-based protocols.

"This is not a negative for the W3C it is a positive for OASIS," says Phillip Hallam-Baker, principal scientist for VeriSign. "This recognizes the security work going on at OASIS." In May, OASIS created the Security Standards Joint Committee, an oversight group to ensure consistency among its security working groups. Those groups include the Security Assertion Markup Language, Services Provisioning Markup Language and the XML Access Control Markup Language.

Eventually, it will include a WS-Security working group after an initial period where OASIS will make a public call for participants. The first meeting of the group is expected in August.

WS-Security also is part of a larger roadmap proposed by IBM, Microsoft and VeriSign which it published in April called "Security in a Web Services World." It details six other security extensions built on the WS-Security foundation for such functions as expressing security policies, trust relationships, federation and authorization.

"We are actively working on the other six specifications," says Karla Norsworthy, director of dynamic e-business technology for IBM. "But we have not committed to putting these other specs under OASIS."

RELATED LINKS

Contact Senior Editor John Fontana

Other recent articles by Fontana

Specification and "Security in a Web Services World" roadmap


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.