Microsoft, IBM Extend Web Services Security Effort

At the Burton Group's Catalyst conference in San Francisco, IBM, Microsoft, BEA Systems, RSA Security and VeriSign will debut the publication of three new specifications extending WS-Security and related technologies, and will publish them to their respective Web sites, said Karla Norsworthy, director of dynamic e-business technologies at IBM, Somers N.Y.

The new specifications are WS-Federation Language, which defines how to enable services with different security architectures on the back end to interoperate; Passive Requestor Profile, which describes how protocols defined in WS-Federation Language can be used by so-called passive users of Web services, such as those surfing Web sites or using Web-enabled devices; and Active Requestor Profile, which does the same thing as Passive Requestor Profile except it does it for SOAP-enabled applications and smart clients rather than passive users.

Together the new specifications broaden the scope of current proposed security standards developed by the group, such as WS-Security, WS-Policy, WS-Trust and WS-Secure Conversation, by enabling Web services to communicate despite having different security technologies on the back end, said Stephen Van Roekel, director of Web services at Microsoft, Redmond, Wash.

"This adds a layer of being able to handle the exchange of user information independent of what kind of security scheme the end points are using," Van Roekel said. "I could be using Kerberos, SAML [security assertion markup language] or PKI and I can send that information between those end points."

id
unit-1659132512259
type
Sponsored post

While Roekel said the group is willing to work with the Sun Microsystems-led Liberty Alliance, the Microsoft/IBM-led standards effort seems directly counter. Liberty is based on extending the SAML specification for secure identity management for Web services, similar to how Microsoft et al are extending WS-Security. SAML is an XML framework for exchanging user authentication and authorization information between networked computers and devices.

WS-Security, co-authored by Microsoft, IBM and VeriSign and introduced in April 2002, defines a way to encrypt XML code for secure Web services, and is currently before the OASIS standards body.

WS-Policy, WS-Trust and WS-Secure Conversation, introduced in December 2002 by Microsoft, IBM, VeriSign, RSA and BEA, are designed--as are the new specifications introduced Tuesday--to work together with WS-Security.

WS-Trust is a description for managing, establishing and assessing trust relationships between parties exchanging information via Web services. WS-Secure Conversation describes a framework to establish security around multiple messages between organizations. And WS-Security Policy outlines general security policies.