WS-Security: Microsoft, Sun Work Behind the Scenes

The release of the WS-Security specification by OASIS this week offers a glimpse into a world of improved interoperability for the enterprise via Web services. Microsoft and Sun's recent accord may speed the interop process, experts say.

The passage of the WS-Security specification by the Organization for the Advancement of Structured Information Standards (OASIS) could signal opportunities for further interoperability between Microsoft Corp. and Sun Microsystems Inc., at least as far as Web services are concerned.

John Shewchuk, a Microsoft architect, told eWEEK in an interview that Microsofts work with Sun engineers on the WS-Security spec could indicate possible future interoperability between the two companies, as established in last weeks landmark agreement between the two former foes to work together.

OASIS approved the WS-Security specification earlier this week in a vote of 77-1. WS-Security defines the core facilities for protecting the integrity and confidentiality of a message, as well as mechanisms for associating security-related claims with the message, according to the roadmap laid out by Microsoft, IBM and VeriSign Inc. when they authored the specification in April 2002. Sun joined the WS-Security effort, along with many other companies, after Microsoft, IBM and VeriSign submitted the specification to OASIS in June 2002 and OASIS formed a WS-Security Technical Committee the following month.

WS-Security is a foundational technology that provides the basis for additional security specifications and enables businesses to offer secure Web services for commercial use.

However, a byproduct of the work to deliver the specification showed that Microsoft and Sun were leading in interoperability—in standing with the specifications guidelines.

"We did our first interop test of the latest spec and we had 80 percent interoperability" among all the companies participating, Shewchuk said. "The first two to get full interoperability were Microsoft and Sun. The Sun engineers were smart and easy to work with, and their stuff worked great with our code."

Shewchuk said Microsoft tested a version of the companys WSE (Web Services Enhancements) technology that supports WS-Security. He said he was not aware of what technology Sun used in the test, as the testing is "done in a fully anonymous way."

He also said Microsoft "will be releasing WSE 2.0 shortly, and that will be in full compliance" of WS-Security. So not only is it news that OASIS approved WS-Security as a standard, "but youll likely see [compliant] products from Microsoft and others on the market almost overnight."

In addition, Shewchuk said, "We have the federation work and the Liberty work, and because we all are working on this, were able to communicate" on how to proceed with the interoperability message.

Passport/TrustBridge is Microsofts federation technology, while Liberty is a Sun-led technology project related to federation. With the new agreement between the two companies, industry observers have asked whether the two efforts will fuse.

/zimages/6/28571.gifArvind Krishna, IBM vice president of security for Tivoli and Security Products, recently predicted that 2004 will be the year that enterprises will get behind federated identity for protection. Click here to read the interview.

Shewchuk would not address that question directly but said of the Sun/Microsoft agreement overall: "I hope this is a sign we can come together and focus on the technical problems. I think its a very positive sign."

"Eh, love is fickle," said Ronald Schmelzer, an analyst with ZapThink LLC, a market research firm based in Cambridge, Mass. "Well see how much the Sun and Microsoft love tryst really lasts. My thought is that its a fun roll in the hay until morning, when they realize that one of the two doesnt have any front teeth."

Next Page: IBM and Microsoft also hammering on interoperability