Microsoft, IBM Lead Group Effort For Web Services Specs

The group, which included BEA Systems, RSA Security and VeriSign, debuted the publication of three new specifications extending WS-Security and its related technologies at the recently held Burton Group's Catalyst conference in San Francisco, said Karla Norsworthy, director of dynamic e-business technologies at IBM, Somers, N.Y.

WS-Security, co-authored by Microsoft, IBM and VeriSign and introduced in April 2002, defines a way to encrypt XML code for secure Web services. It is currently before the Organization for the Advancement of Structured Information Standards (OASIS).

The new specifications are WS-Federation Language, which defines how to enable services with different security architectures on the back end to interoperate; Passive Requestor Profile, which describes how protocols defined in WS-Federation Language can be used by passive users of Web services, such as those surfing Web sites or using Web-enabled devices; and Active Requestor Profile, which does the same thing for SOAP-enabled applications and smart clients that Passive Requestor Profile does for passive users.

Solution providers said that although it is crucial to define such standards, vendors likely will not have the final say in what becomes widely adopted. Ultimately, business users will decide which ones best suit their needs, they said.

Decisions around standards "are business-driven, not IT-driven," said Steve Crutchley, chief security officer at 4FrontSecurity, Reston, Va. "You have to look at a standard and [say], 'Does it support my business? If it doesn't support my business, I'm not going to use it.' "

WS-Federation Language, Passive Requestor Profile and Active Requestor Profile have been published to the Web sites of IBM, Microsoft, BEA, VeriSign and RSA for review. Eventually, they will be proposed to a standards body, Norsworthy said.

Together the new specifications broaden the scope of current proposed security standards developed by the group,including WS-Security, WS-Policy, WS-Trust and WS-Secure Conversation,by enabling Web services to communicate despite having different security technologies on the back end, said Stephen Van Roekel, director of Web services at Microsoft, Redmond, Wash. "[The new specifications] add a layer of being able to handle the exchange of user information independent of what kind of security schemes the end points are using," he said.

WS-Policy, WS-Trust and WS-Secure Conversation,introduced in December 2002 by Microsoft, IBM, VeriSign, RSA and BEA,are designed to work together with WS-Security, as are the new specifications.

WS-Trust is a description for managing, establishing and assessing trust relationships between parties exchanging information via Web services. WS-Secure Conversation describes a framework to establish security around multiple messages between organizations. And WS-Security Policy outlines general security policies.

Van Roekel said the group is willing to work with the Sun Microsystems-led Liberty Alliance and other efforts Sun and its partners are making to set federated identity standards. But observers said the standards efforts led by Microsoft and IBM compete with what Sun and its partners are doing.

Liberty is based on extending the SAML specification for secure identity management for Web services, similar to how the Microsoft-IBM group are extending WS-Security. SAML is an XML framework for exchanging user authentication and authorization information between networked computers and devices.

Crutchley said he cautions clients to be careful when choosing a security standard to adopt. "Make sure it fits your long-term strategy and you understand why you're adopting it because it could tie you to some long-term issue later."