WS-Security: Microsoft, Sun Work Behind the Scenes

By Darryl K. Taft  |  Posted 2004-04-08

WS-Security: Microsoft, Sun Work Behind the Scenes

The passage of the WS-Security specification by the Organization for the Advancement of Structured Information Standards (OASIS) could signal opportunities for further interoperability between Microsoft Corp. and Sun Microsystems Inc., at least as far as Web services are concerned.

John Shewchuk, a Microsoft architect, told eWEEK in an interview that Microsofts work with Sun engineers on the WS-Security spec could indicate possible future interoperability between the two companies, as established in last weeks landmark agreement between the two former foes to work together.

OASIS approved the WS-Security specification earlier this week in a vote of 77-1. WS-Security defines the core facilities for protecting the integrity and confidentiality of a message, as well as mechanisms for associating security-related claims with the message, according to the roadmap laid out by Microsoft, IBM and VeriSign Inc. when they authored the specification in April 2002. Sun joined the WS-Security effort, along with many other companies, after Microsoft, IBM and VeriSign submitted the specification to OASIS in June 2002 and OASIS formed a WS-Security Technical Committee the following month.

WS-Security is a foundational technology that provides the basis for additional security specifications and enables businesses to offer secure Web services for commercial use.

However, a byproduct of the work to deliver the specification showed that Microsoft and Sun were leading in interoperability—in standing with the specifications guidelines.

"We did our first interop test of the latest spec and we had 80 percent interoperability" among all the companies participating, Shewchuk said. "The first two to get full interoperability were Microsoft and Sun. The Sun engineers were smart and easy to work with, and their stuff worked great with our code."

Shewchuk said Microsoft tested a version of the companys WSE (Web Services Enhancements) technology that supports WS-Security. He said he was not aware of what technology Sun used in the test, as the testing is "done in a fully anonymous way."

He also said Microsoft "will be releasing WSE 2.0 shortly, and that will be in full compliance" of WS-Security. So not only is it news that OASIS approved WS-Security as a standard, "but youll likely see [compliant] products from Microsoft and others on the market almost overnight."

In addition, Shewchuk said, "We have the federation work and the Liberty work, and because we all are working on this, were able to communicate" on how to proceed with the interoperability message.

Passport/TrustBridge is Microsofts federation technology, while Liberty is a Sun-led technology project related to federation. With the new agreement between the two companies, industry observers have asked whether the two efforts will fuse.

Arvind Krishna, IBM vice president of security for Tivoli and Security Products, recently predicted that 2004 will be the year that enterprises will get behind federated identity for protection. Click here to read the interview.

Shewchuk would not address that question directly but said of the Sun/Microsoft agreement overall: "I hope this is a sign we can come together and focus on the technical problems. I think its a very positive sign."

"Eh, love is fickle," said Ronald Schmelzer, an analyst with ZapThink LLC, a market research firm based in Cambridge, Mass. "Well see how much the Sun and Microsoft love tryst really lasts. My thought is that its a fun roll in the hay until morning, when they realize that one of the two doesnt have any front teeth."

Next Page: IBM and Microsoft also hammering on interoperability

IBM and Microsoft also

hammering on interoperability">

Last year, in a very public display of Web services interoperability, Bill Gates—Microsofts chairman and chief software architect—and Steve Mills, senior vice president of IBMs Software Group, demonstrated interoperability between their systems. IBM is a co-author of the WS-Security specification.

IBM and Microsoft had been working independently on solving some of the problems related to Web services security but decided to join forces to "augment" their work, Shewchuk said.

He said early on the group got together in Chicago and "hashed through a scenario where [IBMs] WebSphere could talk to .Net through open standards."

Then in a meeting in March of 2002 at the San Francisco airport, IBM and Microsoft engineers met to hash out the core WS-Security specification and to set a roadmap whereby that foundational specification would lead to subsequent ones like WS-Trust and WS-SecureConversation, he said. The date is fresh in Shewchuks mind because not only was the WS-Security specification born—so too was his daughter.

"Its really exciting to see the industry as a whole coalesce around this," Shewchuk said.

According to a joint white paper from IBM and Microsoft describing the WS-Security specification and security roadmap, "While WS-Security is the cornerstone of this effort, it is only the beginning, and we will cooperate with the industry to produce additional specifications that will deal with policy, trust and privacy issues."

"WS-Security is really the linchpin spec to take Web services beyond the basic interchange of information," Shewchuk said.

"Ratification of WS-Security is a significant step in addressing one of the most challenging barriers to successful Web services adoption: security," said Schmelzer. "By getting some sense of unity behind these specs, we can expect companies to look more seriously at Web services as a technology they can reliably implement in and between their organizations. Now that WS-Security has passed this milestone, we hope that end-user and vendor companies and the WS-I [Web Services Interoperability Organization] back the spec as a sure thing rather than pitch equivalent alternatives that might slow the adoption of Web services going forward."

Said Shewchuk: "If you really need to go beyond this thing being a toy to something that enables business, this is the spec that does that."

Meanwhile, in other OASIS news, OASIS announced plans to host a Symposium on Reliable Infrastructures for XML, April 26-27 in New Orleans.

In a statement, Chet Ensign, director of architecture at Lexis Publishing Inc. and chair of the Program Committee of the OASIS Technical Advisory Board, said, "Today, many different (and partially interchangeable) technologies are available that propose to increase the reliability of XML-based messaging and networking infrastructure. We define reliable to mean that implementing one or more of these technologies in an infrastructure removes some of the burden of ensuring application integrity from software programmers and architects."

Editors Note: This story was updated from its original posting to change the headline.

Check out eWEEKs Developer & Web Services Center at for the latest news, reviews and analysis in programming environments and developer tools. Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page:  

Rocket Fuel