As the Apache Software Foundation, Microsoft Corp. and IBM sort out licensing issues around making the WS-Security specification open-source-friendly, the issue becomes something of a precedent for how Web services specifications will evolve in the open-source world.
Meanwhile, IBM and Microsoft have announced plans to submit three additional Web services specifications to a standards body, and Hewlett-Packard Co. has announced that three Web services specifications it turned over to Apache have now left the incubator stage.
At issue with WS-Security is Apaches intent to implement the specification although WS-Securitys licensing policy, based on policies laid out by the Organization for the Advancement of Structured Information Systems, is incompatible with Apaches own.
In essence, OASIS policies allow for royalty-free specifications, but they have not been adopted specifically for the open-source way of the world. OASIS has three modes of intellectual property rights coverage: a RAND (Reasonable and Non-Discriminatory) mode, an RF (Royalty-Free) on RAND mode and an RF on Limited Terms mode. So while the WS-Security specification is royalty-free, the current policy would require users to go back to the authors of the specification and holders of the license—IBM and Microsoft—to negotiate transfer rights for the technology if they intended to redistribute it.
Cliff Schmidt, Apaches vice president of legal affairs, said he is looking forward to meeting with Microsoft later this week to discuss ways to overcome the incompatibility.
A resolution could be something as simple as a clause added to the current license, he said.
However, some observers said the WS-Security issue could be a precedent as it is the first of what will likely be several Web services specifications to come up against obstacles regarding open-source implementation, as patent policies that have been in place for standards organizations such as Apache are not necessarily applicable for open-source licensing.
Apache ran into a similar situation with the Sender ID framework, a Microsoft specification issued through the IETF (Internet Engineering Task Force). The licensing policies around Sender ID were not compatible with Apaches own policies, and the open-source organization decided not to implement Sender ID.
“The same Sender ID kind of issues are showing up in the Web services space,” Schmidt said. “This is a bigger issue now. These are the same questions that are likely to come up with every Web services specification. So this is now becoming more important as it finds its way in Web services specifications.”
OASIS upgraded its intellectual property rights policies earlier this year to be more flexible.
“We respect Apache for calling attention to this situation and for articulating the needs of open-source developers and the transfer of licenses,” said Patrick Gannon, president and CEO of OASIS. “The rapid growth of open-source business models and their distinct licensing requirements pose a challenging problem of adaptability for all standards bodies. Apaches conversation with IBM and Microsoft reveals that a lot more creative work needs to be done to harmonize traditional patent policy frameworks with the new business models to protect all parties from legal risk, while allowing for implementation of standards under the open-source development and licensing models.”
Added Gannon: “Fundamental to OASIS is the principle that standards development should be driven by the needs of the marketplace. Its gratifying for us to see Apache, IBM and Microsoft engage in a productive dialogue that hopefully will result in the widest possible adoption of the WS-Security OASIS standard.”
Meanwhile, last week IBM and Microsoft announced that they will turn three additional Web services standards over to OASIS—WS-SecureConversation, WS-SecurityPolicy and WS-Trust.
The WS-SecureConversation (Web Services Secure Conversation Language) specification is built on top of the WS-Security and WS-Policy models to provide secure communication between services, the companies said.
The WS-SecurityPolicy is designed to work with the general Web services framework, including WSDL (Web Services Definition Language) service descriptions, UDDI (Universal Description, Discovery and Integration) and SOAP (Simple Object Access Protocol), the companies said.
And WS-Trust (Web Services Trust Language) uses the secure messaging mechanisms of WS-Security for issuing security tokens and credentials in different trust domains.
Meanwhile, in related news, HP announced that it has contributed implementations of three emerging Web services standards—WSRF (Web Services Resource Framework), WSN (Web Services Notification) and WSDM (Web Services Distributed Management) have graduated from incubator projects to official open-source Web services projects at Apache.
In a statement regarding the news, HP said: “Exiting the Apache incubator phase is significant because this was HPs first offering to the Apache Organization, and HP succeeded in ensuring that these became full-fledged Apache projects. This is an important milestone on the path toward industry-wide adoption of standards-based management solutions and the end goal of simplified management of heterogeneous IT environments.”
WSRF, formerly known as Apollo, defines a generic and open framework for modeling and accessing “stateful” resources using Web services, the Apache Web site entry on the project said.
WSN, formerly known as Pubscribe, defines a set of specifications that standardize the way Web services can interact using the Notification pattern, which defines a way for consumers to subscribe to a producer for notifications whenever a particular situation occurs, Apache said. It builds upon the WS-ResourceFramework family of specifications.
And WSDM provides a model for managing distributed services.