WS-Security Spec Sent to OASIS

IBM, Microsoft and VeriSign announce they will push their Web services security standard through OASIS.

Moving ahead on promises made when they formed the initiative in April, IBM, Microsoft Corp. and VeriSign Inc. Thursday announced that they will submit the latest version of the Web Services Security (WS-Security) specification to the Organization for the Advancement of Structured Information Standards for ongoing development.

The WS-Security specification is a leading Web services standards effort to support, integrate and unify multiple security models, mechanisms and technologies, allowing a variety of systems to interoperate in a platform- and language-neutral manner, the companies said.

Eric Newcomer, chief technology officer of Iona Technologies Inc., in Waltham, Mass., and a founding member of the working group that will handle the WS-Security standards effort within OASIS, said from his perspective IBM and Microsoft grew "impatient" with the efforts of the Worldwide Web Consortium (W3C) to deliver a standard around security and Web services.

Newcomer, a member of the W3C Web Services Architecture Working Group, said the group has been trying to create a security working group at the W3C to no avail. "Its hard to do," he said.

However, "Id say its a good choice," Newcomer said of the decision to push the standard through OASIS. "They have a good track record" delivering standards, he said.

In addition to Iona, many OASIS member companies pledged support for WS-Security, including Baltimore Technologies plc., BEA Systems Inc., Documentum Inc., Entrust Inc., Netegrity Inc., Novell Inc., Oblix Inc., RSA Security Inc., SAP AG, Sun Microsystems Inc. and Systinet Corp.

With this announcement, IBM, Microsoft and VeriSign strengthened their commitment to build and deliver standards-based security solutions, the companies said. The three companies will continue to work together to advance standards-based specifications that will allow for comprehensive Web services security solutions as outlined in the "Security in a Web Services World" road map, which was drafted by IBM and Microsoft in April.

"We have to make some progress, and we have to get this stuff standardized," Newcomer said.

The WS-Security specification, which provides the foundation for that road map, defines a standard set of Simple Object Access Protocol (SOAP) extensions, or message headers, which can be used to implement integrity and confidentiality in Web services applications. Web services are applications that can be accessed through XML and SOAP-based protocols, making them platform- and language-independent. WS-Security provides a foundation layer for secure Web services, laying the groundwork for higher-level facilities such as federation, policy and trust.

VeriSign said it will be putting out an open-source implementation of the WS-Security specification to allow developers to gain familiarity with the spec, a company spokesman said. "It will show how to build in things like digital signatures and encryption to Web services," the spokesman said. The specification will be available for download from VeriSign and on the open-source site.

Related stories:

  • Tech Analysis: Web Services Edged Forward
  • Web Services Secure?
  • Editorial: Web Patents: Still Not a Good Idea
  • Commentary: Security Should Top Web Services Agenda
  • Web Services Security: A Political Battlefield