Vendors Team Up On New Web Services Security Specs


Microsoft, IBM, BEA among authors of proposed standards


A gaggle of the usual suspects has teamed up to promote several new standards aimed at making Web services more secure.

Microsoft, IBM, BEA Systems, RSA Security, VeriSign and SAP Wednesday published a new set of advance specifications that will let companies share information securely between applications in their own systems, as well as with other enterprises, the companies said in a press release.

The new specs fall into two categories,technical issues surrounding security and business policy implementation.

WS-Trust, WS-SecureConversation and WS-SecurityPolicy, co-authored by IBM, Microsoft, RSA and VeriSign, fall under the first category, according to the companies.

WS-Trust is a description for managing, establishing and assessing trust relationships between parties exchanging information via Web services. WS-SecureConversation describes a framework to establish security around multiple messages between organizations. And WS-SecurityPolicy outlines general security policies of Web services.

WS-Policy, WS-PolicyAttachment and WS-PolicyAssertions are proposed standards around implementing business policies for Web services, according to the companies. BEA, IBM, Microsoft and SAP co-authored these three specs.

WS-Policy describes how parties on both ends of Web services can communicate to each other their system requirements and capabilities. This allows both senders and receivers of messages to discover the information they need to access a particular Web service.

WS-PolicyAttachment proposes a standard way to attach the requirement and capability statements of message senders and receivers to Web services. And WS-PolicyAssertions describes general policies attached to a particular Web service.

Poor security is cited as a major stumbling block to the adoption of Web services, observers said.

While the industry has widely accepted security assertion markup language (SAML) as basic security protocol for Web services, higher-level standards have not been developed or approved yet, said Pragnesh Dave, Enterprise Architect of Elk Grove Terrace, Ill.-based solution provider Genisys Consulting.

"New standards are coming up for security and reliability, but they're not there yet," Dave said.

Edward Cobb, BEA's vice president of architecture and standards and a co-author of the WS-Policy spec, said that the new proposed standards show that vendors are committed to hastening Web services adoption by offering standards to solve security issues.

"[The specs promote a common industry goal to help speed the adoption of Web services by delivering secure, reliable interoperability guidelines that span platforms, applications and programming languages," Cobb said.