Page Two

By Darryl K. Taft  |  Posted 2002-10-07 Print this article Print

: Rift Threatens Web Services Security Spec"> As a result of the infighting, enterprises delving into Web services may be forced into a holding pattern on security. Steve Devoti, IT security and directory services manager at CUNA Mutual Group, in Madison, Wis., said that while enough security exists for running Web services over a trusted network, more is needed when theyre extended outside a firewall.

"Web services can be made secure," Devoti said. "However, because we still dont have all the industry standards in place, it still requires us to do business in the ways we have in the past, i.e., setting up agreements with our partners in advance ... and [regarding] how we will make identity and authorization assertions."

Ed Leveille, vice president and CIO at Providence Washington Insurance Companies Inc., in Providence, R.I., said a cohesive services security standard will be important as Web services proliferate. Leveille is beginning to use Web services and is researching WS-Security to see how it will be applied.

While OASIS didnt establish a timetable for when WS-Security would be released, Microsoft and IBM, of Armonk, N.Y., opted to bring the specification to OASIS because they were "impatient" with the World Wide Web Consortiums efforts to deliver a security standard, said Eric Newcomer, chief technology officer at Iona. The W3C has been working on standards such as XML Signature, XML Encryption and Extensible Key Management Specification.

Chris Davis, a senior security consultant with RedSiren Inc., in Pittsburgh, said Microsoft and IBM may have made Web services security more difficult simply by bringing WS-Security to OASIS rather than to the W3C, which already has similar security measures.

"What Microsoft and IBM have done is gone off to the side and created their own standard," which could be a problem for end users, Davis said.

"In the browser wars, users were impeded by conflicting standards, and the same thing could happen with WS-Security versus the W3C standards," Davis said. "When you have vendors running around [adhering to several differing standards], it is defaulting to a relatively insecure implementation."

Related Stories:
  • Spec Secures Web Services Apps
  • Oasis Creates Committee Devoted to WS-Security Spec
  • W3C, OASIS Meet Over Web Security Standards
  • Commentary: Web Services Security: A Political Battlefield
  • Commentary: Web Services Standards at Risk

    Darryl K. Taft covers the development tools and developer-related issues beat from his office in Baltimore. He has more than 10 years of experience in the business and is always looking for the next scoop. Taft is a member of the Association for Computing Machinery (ACM) and was named 'one of the most active middleware reporters in the world' by The Middleware Co. He also has his own card in the 'Who's Who in Enterprise Java' deck.

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel