Spec Secures Web Services Apps

Microsoft Corp., IBM and VeriSign Inc. have joined forces to develop and publish a new security specification for Web services that will form the foundation of its proposed Web services security architecture.

NEW ORLEANS--Microsoft Corp., IBM and VeriSign Inc. have joined forces to develop and publish a new security specification for Web services that will form the foundation of their proposed Web services security architecture.

The specification, which the parties say is the first such spec to be launched, will be known as WS-Security and is designed to help organizations build secure and broadly interoperable Web services applications.

"The spec is designed to enable message-level, SOAP-level security, specifically encryption, authentication and identity around those messages. What this will really enable is for Web services to communicate in a trusted manner, especially in a scenario where you have multiple actors in a Web service, where it will provide end-to-end security between all of those parties," Marcie Verdin, director of enterprise services at VeriSign, told eWEEK in an interview late Wednesday.

WS-Security is thus defined as a standard set of SOAP (Simple Object Access Protocol) extensions, or message headers, that can be used to implement integrity and confidentiality in Web services applications. It also provides standard mechanisms to exchange secure, signed messages in a Web services environment. "This provides an important foundation layer for Web services security that will help developers build more secure and broadly interoperable Web services," she said.

Bob Sutor, the director for eBusiness strategy at IBM, said the plan is to submit the specification to standards groups, but he declined to say which these would be. "This is very broad, and no one standards organization is going to be able to do it. The W3C [World Wide Web Consortium] may be involved; well just have to wait and see," he said.

This is the foundational specification for Web services security, in the same way that two years ago SOAP was a foundational specification, he added.

Steven VanRoekel, the director of Web services marketing at Microsoft, said the specification is based on work that had already been done in the W3C around XML encryption and digital signatures.

When asked about not including other industry players in the development of the specification, Sutor said, "We have published several specifications together in the past like SOAP and WSDL [Web Services Description Language]. We put them out there and let the industry and partners comment on them. We plan to do the same with this and will only submit the spec to the standards bodies in a few months after we have received industry input."

When asked about the specific exclusion of Sun Microsystems Inc., another Web services player, he said Sun was not an author of any of the previous specs (SOAP, WSDL and the initial UDDI [Universal Description, Discovery and Integration] specs), but has participated in some of the standardization efforts. "However, we absolutely welcome their participation with this moving forward, as we welcome everyone elses," Sutor said.

However, a Sun developer who asked not to be identified, said, "Thats ironic seeing how WSDL, UDDI and SOAP were done by those two companies together. So thats sort of contradictory. We dont exactly know what theyre going to do, which isnt exactly surprising."

Russell Castronovo, a spokesman for Sun, said that "in the absence of seeing anything, we cannot comment. But were generally open to things that move along standards and interoperability. These tend to be good things," he said.

The latest exclusion follows the controversy surrounding Suns invitation to join the Web Services Interoperability group.

But VeriSigns Verdin said they should not be seen as a "closed group." The trio wanted to participate in offering this specification as it viewed trust as the most essential element to fuel this next generation of e-commerce.

Regardless of what standard is coming about, "we want to be involved and we want security to be forefront. These are open standards that we want everyone to adopt and to benefit from the productivity gains of Web services," she said.

IBMs Sutor said the parties only started briefing their clients for the first time on Wednesday and that the specification will be available for download (at http://www-106.ibm.com/developerworks/library/ws-secure/ or http://msdn.microsoft.com on Thursday.

Asked whether Microsoft is the right company to be writing a security specification given its past history in that area, VanRoekel said the intelligence of the three organizations "was pretty daunting in the industry. I cant deny that weve had some shortfallings in some areas, but teaming up with IBM and VeriSign feels really good," he said.

But, while the parties have been hearing a lot about the need for security in the Web services space, customers have been saying that while the technology is new and innovative, they are not going to use it for anything mission-critical across the Internet until they can be comfortable that their information is secure and stays confidential.

"But you need more than this," Sutor said. "You need to make sure that you can negotiate appropriate policies and express them. You also have to be able to connect people who may be using radically different software and hardware and different programming languages to build their systems. In exactly the same way, we know people will have different security infrastructures."

As such, IBM and Microsoft have also developed and are publishing a Web services security road map, titled "Security in a Web Services World." The document defines additional and related Web services security capabilities within the framework established by the WS-Security specification that Microsoft and IBM plan to develop "in close collaboration with platform vendors, application developers, network and infrastructure providers and customers," he said.

The additional proposed specifications deal with security policies, trust relationships, privacy practices, the management and authentication of message exchanges between parties, trust in heterogeneous federated environments, and the management of authorization data and policies, he said.

Additional reporting by Darryl Taft