WS-Security Spec Sent to OASIS
The WS-Security specification is a leading Web services standards effort to support, integrate and unify multiple security models, mechanisms and technologies, allowing a variety of systems to interoperate in a platform- and language-neutral manner, the companies said.
Eric Newcomer, chief technology officer of Iona Technologies Inc., in Waltham, Mass., and a founding member of the working group that will handle the WS-Security standards effort within OASIS, said from his perspective IBM and Microsoft grew "impatient" with the efforts of the Worldwide Web Consortium (W3C) to deliver a standard around security and Web services.
Newcomer, a member of the W3C Web Services Architecture Working Group, said the group has been trying to create a security working group at the W3C to no avail. "Its hard to do," he said.
However, "Id say its a good choice," Newcomer said of the decision to push the standard through OASIS. "They have a good track record" delivering standards, he said.
In addition to Iona, many OASIS member companies pledged support for WS-Security, including Baltimore Technologies plc., BEA Systems Inc., Documentum Inc., Entrust Inc., Netegrity Inc., Novell Inc., Oblix Inc., RSA Security Inc., SAP AG, Sun Microsystems Inc. and Systinet Corp.
With this announcement, IBM, Microsoft and VeriSign strengthened their commitment to build and deliver standards-based security solutions, the companies said. The three companies will continue to work together to advance standards-based specifications that will allow for comprehensive Web services security solutions as outlined in the "Security in a Web Services World" road map, which was drafted by IBM and Microsoft in April.
"We have to make some progress, and we have to get this stuff standardized," Newcomer said.
The WS-Security specification, which provides the foundation for that road map, defines a standard set of Simple Object Access Protocol (SOAP) extensions, or message headers, which can be used to implement integrity and confidentiality in Web services applications. Web services are applications that can be accessed through XML and SOAP-based protocols, making them platform- and language-independent. WS-Security provides a foundation layer for secure Web services, laying the groundwork for higher-level facilities such as federation, policy and trust.
VeriSign said it will be putting out an open-source implementation of the WS-Security specification to allow developers to gain familiarity with the spec, a company spokesman said. "It will show how to build in things like digital signatures and encryption to Web services," the spokesman said. The specification will be available for download from VeriSign and on the SourceForge.net open-source site.