After years of development three key Web services security standards have finally made their way into the OASIS standards body, paving the way for master security policies and shared credentials in the service-oriented world.
The first meeting of the OASIS Web Services Secure Exchange (WS-SX) Technical Committee is set for early December and the WS-Trust, WS-SecureConversation and WS-SecurityPolicy specifications will be up for review. Kelvin Lawrence, chief technology officer for emerging Internet software standards for IBM, will co-chair the committee after having shepherded the specifications along through their early development.
"Once you begin to share credentials and engage in extended conversations, it gets you that next step toward being more dynamic," he said.
No specific timetable has been set for when the specifications will be ratified, but Lawrence noted the initial WS-Security standard took 18 months to make the journey from submission to standard.
"And that was fairly fast," he said.
WS-Trust establishes an XML syntax for managing credentials across secure domains. WS-SecureConversation will allow people to enter into multiple message conversations without having to go back to square one on the security checklist with each new message. WS-SecurityPolicy defines a general set of overarching security policies that can be associated with a Web service.
"The fact that we're getting them into the official standards process is enormously encouraging," said Andrew Nash, chief technology officer at Reactivity Inc., who co-authored the specifications. "This is critical infrastructure for Web services and service-oriented architectures."
In advance of the standards, Reactivity recently released an XML security gateway that performs some of the identity mapping between different credential formats that eventually will become the domain of WS-Trust. Lawrence said that he expects IBM's Tivoli and WebSphere product lines to feature some of the WS-SX functionality in advance of full ratification as well.
"We're trying to get stuff out so that people can use it," he said.
Miko Matsumura, vice president for technology standards at Infravio Inc., noted that customer demand for secure Web services tools has risen to the level where vendors have to get ahead of the standards work.
"It's kind of scary because people are trying to figure out how to build this infrastructure and the textbook's being written right now," he said. "It doesn't exist yet."
However, vendors are building to the proposed specifications, which have been up on IBM's developerWorks site for quite some time, which should minimize the amount of proprietary technology inside current toolsets. Ultimately, the goal of the WS-SX standards is to create a universal security system that can be linked to Web services and changed without having to change the code of the services themselves.
"You're trying to make the runtime environment even smarter," Matsumura said.
He added that these specifications should not be viewed as new technology that customers will have to learn in order to build an SOA.
"End users should only see these things as ingredients of products they will buy," Matsumura said. "They should never have to work with all these specifications themselves."
The main specification still missing from the WS-SX grouping is WS-Federation, which will provide security across multiple domains that do not share a single identity manager. Lawrence has estimated that standard won't start its standards body life for another year, but Nash would like to see it enter sooner.
"It becomes harder and harder to deal with federation the longer it stays out of the standards bodies," he said. "Ideally this would be worked in with the other standards."