Microsoft, IBM Team on Spec

A group of companies last week announced a new Web services specification for handling security in Web services environments.

Led by Microsoft Corp. and IBM, a group of companies last week announced a new Web services specification for handling security in Web services environments.

At Burton Group Inc.s Catalyst conference in San Francisco, IBM, Microsoft, BEA Systems Inc., RSA Security Inc. and VeriSign Inc. announced the publication of the Web Services-Federation specification, another in a series of standards IBM and Microsoft outlined in the Web services security road map they co-authored last year.

Karla Norsworthy, director of e-business technology at IBM, in Armonk, N.Y., said WS-Federation enables developers to manage trust relationships across enterprises that use different types of security solutions. "Were announcing the crown jewel of the Web services security road map, the Web Services-Federation specification," said Norsworthy. "These specifications are solutions that hold together Web services security [WS-Security], Trust [WS-Trust], the security part of Policy [WS-Policy] into allowing this kind of federation so that our clients can do successful business process integration and have the security part come easy."

Steven VanRoekel, director of Web services at Microsoft, in Redmond, Wash., said, "From a Microsoft perspective this is the technology that will enable TrustBridge." TrustBridge is Microsofts upcoming technology that will allow organizations to share user identities across business boundaries, officials said. "WS-Federation is built to be extensible to utilize any broad range of identification mechanisms, like Passport, like SAML [Security Assertion Markup Language] or like anything else in between," said VanRoekel.

Meanwhile, IBM will integrate WS-Federation into its WebSphere and Tivoli product lines, Norsworthy said.

Jason Bloomberg, an analyst with ZapThink LLC, a Cambridge, Mass., market researcher, said a question surrounding WS-Federation is how it will play out alongside the Liberty Alliances ID-Federation Framework.

"Liberty is further along in its work on federation specifications, and there are a good number of companies—in particular, non-IT companies—that back Liberty. Clearly, because identity federation means getting dissimilar identity mechanisms to work together, it doesnt make sense to have more than one identity federation standard," Bloomberg said. "Only time will tell which approach will win out."

And some went even further to call the Microsoft-IBM-led initiative hype. "WS-Federation is designed to tie together independent islands of authentication," said Eugene Kuznetsov, chief technology officer and chairman of DataPower Technology Inc., also in Cambridge. "This is pure marketing; nobody needs this right now. Today enterprises are working with known trading partners with known identity schemes and certificate authorities. This is just another letter for the Web services alphabet soup mix that will tend to confuse more than it will help enterprises struggling to secure their Web services. Businesses need pragmatic and practical solutions to solve the Web services security problem—and there are ways to secure their XML Web services applications today."