Web Services Security: A Political Battlefield
At the International World Wide Web Conference held here this month, Tim Berners-Lee, director of the World Wide Web Consortium, reiterated his organizations obligation to preserve interoperability on the Web. The only way to do so, he said, was for the W3C to recommend specifications that would allow software to work together regardless of who designed it.
The W3Cs ability to remain the steward of Internet interoperability, however, will be tested as competing specifications for securing Web services emerge and are submitted for recommendation. Already, the battle lines are forming.
On one side is the more established SAML (Security Assertion Markup Language) from OASIS, or Organization for the Advancement of Structured Information Standards. On the other side is the WS-Security (Web Services-Security) specification from the WS-Interoperability (Web Services-Interoperability) Organization founded by IBM, Microsoft Corp. and VeriSign Inc.
While members of WS-Interoperability said they are committed to the work of the W3C, which maintains SOAP (Simple Object Access Protocol), the groups formation could complicate the development of Web services security standards that are recognized industrywide. Thats because, for one thing, the WS-Security specification does not use SAML. For another, WS-Security, as a private specification, could fall under Reasonable and Non-Discriminatory patent royalty provisions, something the W3C currently does not allow.
"I cannot stress [enough] the importance of IPR [intellectual-property- rights]-free standards," said Eve Maler, co-author of SAML and XML standards architect at Sun Microsystems Inc., of Palo Alto, Calif. "We have to ensure everyone has access to standards."
However, Phillip Hallam-Baker, principal scientist at VeriSign, of Mountain View, Calif., defended WS-Security, saying he sees no future in proprietary specifications. Hallam-Baker said he would like to deliver all pieces of WS-Security to a standards body within six to nine months. It remains unknown whether WS- Interoperability will submit the specification for recommendation by the W3C, said Bob Sutor, director of e-business standards strategy at IBM, in Armonk, N.Y.
When it comes to standards, however, Microsoft and IBM have history on their side. W3C-recommended specifications from the duo include SOAP; Web Services Description Language; and Universal Description, Discovery and Integration.
Members of the W3C have acknowledged that the success of its standards depends on support and implementation in the real world. Last year, the organization saw just how fragile interoperability could be when Microsoft tried to block users of the Opera and Mozilla browsers from MSN Web sites. If a large industry player refused to support a W3C-backed SAML, little could be done about it, said Joseph Reagle, a W3C public policy analyst and chair of the XML encryption working group.
"Theres plenty of work to be done in coming up with a cohesive way to put all the pieces together. Im just not sure how," Reagle said.
There is always public criticism. After a flurry of negative publicity, Microsoft changed its stance on browser compatibility. Today, Microsofts .Net Framework is based largely on W3C specifications, including XML and SOAP.