Rift Threatens Web Services Security Spec
Applications
SHARE
Facebook X Pinterest WhatsApp

Rift Threatens Web Services Security Spec

Written By
Darryl K. Taft
Darryl K. Taft
Oct 7, 2002
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

An emerging rift among supporters of a proposed Web services security specification could slow the ratification of the standard and hamstring enterprises trying to settle on a way to make Web services transactions safer.

Microsoft Corp. and IBM, which, along with VeriSign Inc., published the original Web Services-Security specification, are now in two camps that have contrasting views over what should be done with the specification, also known as WS-Security.

The specification, which came under the control of OASIS, or Organization for the Advancement of Structured Information Standards, in June, defines a set of SOAP (Simple Object Access Protocol) message headers, which are designed to ensure Web services application integrity.

Microsoft, of Redmond, Wash., and companies such as Iona Technologies Inc., of Cambridge, Mass., which are members of OASIS WS-Security Technical Committee, want to push the specification through as is. They contend it is complete enough to give users the security they need now for Web services and can be improved later.

However, officials at IBM, Sun Microsystems Inc., Commerce One Inc., Entrust Inc. and Cisco Systems Inc., among others—and also part of the technical committee—said they believe more needs to be added to the specification. A short list of additional features includes some form of extensions for WSDL (Web Services Description Language) that would enable developers to express how to control the level of encryption, the type of encryption and what gets encrypted. This faction is proposing a Quality of Protection working group to investigate what other additions the specification may need before being released.

“We need the ability to comprehensively control Web services security as it relates to specifying a Web service at design time using WSDL and at run-time using SOAP [and] WSDL,” said Zahid Ahmed, XML Web services architect at Commerce One, in Pleasanton, Calif.

The WS-Security Technical Committee may discuss these issues in a conference call meeting this week.


Page Two

: Rift Threatens Web Services Security Spec”>

As a result of the infighting, enterprises delving into Web services may be forced into a holding pattern on security. Steve Devoti, IT security and directory services manager at CUNA Mutual Group, in Madison, Wis., said that while enough security exists for running Web services over a trusted network, more is needed when theyre extended outside a firewall.

“Web services can be made secure,” Devoti said. “However, because we still dont have all the industry standards in place, it still requires us to do business in the ways we have in the past, i.e., setting up agreements with our partners in advance … and [regarding] how we will make identity and authorization assertions.”

Ed Leveille, vice president and CIO at Providence Washington Insurance Companies Inc., in Providence, R.I., said a cohesive services security standard will be important as Web services proliferate. Leveille is beginning to use Web services and is researching WS-Security to see how it will be applied.

While OASIS didnt establish a timetable for when WS-Security would be released, Microsoft and IBM, of Armonk, N.Y., opted to bring the specification to OASIS because they were “impatient” with the World Wide Web Consortiums efforts to deliver a security standard, said Eric Newcomer, chief technology officer at Iona. The W3C has been working on standards such as XML Signature, XML Encryption and Extensible Key Management Specification.

Chris Davis, a senior security consultant with RedSiren Inc., in Pittsburgh, said Microsoft and IBM may have made Web services security more difficult simply by bringing WS-Security to OASIS rather than to the W3C, which already has similar security measures.

“What Microsoft and IBM have done is gone off to the side and created their own standard,” which could be a problem for end users, Davis said.

“In the browser wars, users were impeded by conflicting standards, and the same thing could happen with WS-Security versus the W3C standards,” Davis said. “When you have vendors running around [adhering to several differing standards], it is defaulting to a relatively insecure implementation.”

Related Stories:

  • Spec Secures Web Services Apps
  • Oasis Creates Committee Devoted to WS-Security Spec
  • W3C, OASIS Meet Over Web Security Standards
  • Commentary: Web Services Security: A Political Battlefield
  • Commentary: Web Services Standards at Risk
Darryl K. Taft
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information