Cleaning Up SOAPs Act

For SOAP to be enterprise-worthy, security must be an integral part of the Web services standard.

Its not an overstatement to say that much of B2Bs future depends on SOAP, the Web services standard that defines how two computers engage each others services via XML commands. Without Simple Object Access Protocol, Web services-based computing, including business-to-business e-commerce, would be in doubt. Fortunately, support for SOAP is widespread, and mature implementations are emerging.

But security was left unaddressed in the SOAP 1.1 specification, leaving this critical component of IT infrastructure to be implemented in ad hoc, incompatible ways—or ignored entirely.

When the World Wide Web Consortium took on future SOAP standard development efforts in late 2000, we sighed with relief. The W3C is known for its ability to develop standards that stand the test of time. The XML Protocol working group at the W3C is now very close to finishing its work on SOAP 1.2; we expect the standard to be voted on by summer. However, as we report in this weeks eWeek Labs package on Web services, security was again left out of SOAP. It was not part of the working groups charter to address the problem in Version 1.2. That omission allowed the committee to complete its work sooner by making its task more focused, but, once again, the SOAP standard has failed to meet a critical IT requirement.

There is now an effort at the Organization for the Advancement of Structured Information Standards, or OASIS, to address this problem, but we think security isnt a postscript to be tacked onto the SOAP specification. Security needs to be baked into the heart of the standard so that it can benefit from the W3Cs mandatory implementation and compatibility testing.

Furthermore, the core components (within which we include security) of a critical infrastructure standard such as SOAP should continue to be developed in its entirety at the W3C, a standards body users trust. It has the policies in place to ensure that standards are developed transparently and in a vendor-neutral way.

Web services need a solid security framework to head off the growing crisis in confidence that they are indeed enterprise-ready. The W3C should fix the security problem as soon as possible after SOAP 1.2 ships, not make it a problem for somebody else to clean up later.