Industry cooperation around security in a Web services world has taken several steps forward recently with the
announcement that three more specifications in the IBM/Microsoft Web Services (WS-*) Security Roadmap are being submitted to OASIS in September, and a successful interoperability demo involving multiple federated identity protocols. Both took place at the Burton Group's Catalyst Conference last month.
WS-Trust, WS-SecurityPolicy and WS-SecureConversation build on WS-Security, which was ratified by OASIS in 2004. WS-Trust and WS-SecureConversation were co-authored with vendors such as Actional Corp., BEA Systems Inc., Computer Associates International Inc., Oracle Corp., RSA Security Inc., VeriSign Inc. and others. WS-SecurityPolicy was co-authored with RSA Security and VeriSign.
"While WS-Security defines the basic mechanisms for providing secure messaging, WS-Trust defines extensions to WS-Security that provide ways to establish and broker trust relationships between organizations," said Ari Bixhorn, director of Web services strategy at Microsoft. "It does this by providing a mechanism to move between various security tokens types, including Kerberos, X.509, and SAML [Security Assertion Markup Language]. Typically this is done through the use of a Security Token Service [STS], which is a Web service that issues security tokens that can be trusted by both the sender and receiver of a Web services message."
In a Web services environment, "new supply chains are built to work across multiple systems; this ecosystem can communicate and collaborate securely using open standards," said Venkat Raghavan, program director of Security, Policy and Compliance for IBM Tivoli. "The challenge is, how do we have a common notion of identity and security that works across multiple platforms, technologies, middleware -- across the value chain. WS-Trust gives you a way to homogenize disparate systems."
Organizations already have different technologies in place for authenticating users, Raghavan said. "The goal is not to replace but to leverage existing security technologies to allow business process integration."
Gerry Gebel, a senior analyst at the Burton Group in Midvale, Utah, said WS-Trust is significant, particularly for hybrid environments. "You can give one style of token and request another in return."
The second spec, WS-SecurityPolicy, defines general security policy assertions that apply to Web services security. For example, WS-SecurityPolicy would be used to implement the Web Services Interoperability Basic Security Profile (WS-I BSP), according to Anthony Nadalin, distinguished engineer and chief security architect of the IBM Software Group. "Other [examples] include being able to describe the security capabilities and contraints of a Web service."
Meanwhile, WS-SecureConversation "defines extensions to allow security context establishment and sharing, and session key derivation," Nadalin said. "This allows contexts to be established and potentially more efficient keys or new key material to be exchanged, thereby increasing the overall performance and security of the subsequent exchanges."
WS-Trust and WS-Federation, another piece of the WS-* road map, were part of the interoperability demonstration at the conference. The demo featured three scenarios around an automotive supply chain: multiprotocol hubs, multiprotocol translator hubs and protocol translation using WS-Trust STS. Identities were securely managed and exchanged via SAML 1.0, SAML 2.0, Liberty Alliance WS-Federation and WS-Trust protocols.
"Previous demos focused on a single protocol and a single version of a protocol," Gebel said. "This is a sign of maturity for federation protocols."
The demo showed that "if you're on the auto dealer side and bought a Hewlett-Packard [identity management] product, for example, and another manufacturer bought a different product, they all can make the handshake," said Rebecca Xiong, product marketing manager at DataPower Technology Inc., Cambridge, Mass., one of 14 vendors that participated in the demo. "The more [vendors] supporting protocols, the easier it is for consumers to build out their Web sites and work with partners."
Once OASIS gets the WS-Trust, WS-SecurityPolicy, and WS-SecureConversation specifications, a technical committee will be formed and the standardization process will begin, Nadalin said. As for the remaining specs in the road map -- WS-Federation, WS-Privacy and WS-Authorization -- "IBM has committed to take all the specifications in the WS Security Roadmap to a standards body. I can't comment on when and where these specifications will be taken," Nadalin said. While WS-Federation has already been involved in several interoperability demos, WS-Privacy and WS-Authorization "still remain unpublished at this time."
Microsoft's Bixhorn points to the progress made so far. "The announcement around WS-Trust, WS-SecurityPolicy and WS-SecureConversation is yet another indication of the industry rallying around interoperability through SOAP-based Web services," he said.