WS-Security, the core security specification that enables interoperability between other Web services security standards and security protocols, was ratified yesterday as a standard by OASIS.
The specification was passed 77-1 with 22% of the OASIS WS-Security
"This standard is quite an important step," said ZapThink LLC senior analyst Jason Bloomberg. "This is a key security standard in the Web Services series [of specs]. Ratification of this as a standard is important to the ability of enterprises to use the standard."
Security has long been considered a roadblock to widespread Web services adoption. Web services, essentially application-to-application communication, rely on secure message transmissions. Standards like WS-Security, SAML and others detail the encryption, authorization and access technologies and policies used by these messages.
"WS-Security handles the interoperability of the different security specifications," Bloomberg said. "It's like a level of abstraction above Kerberos, PKI, SSL and others."
WS-Security supports multiple security tokens, trust domains, signature formats and encryption technologies, according to OASIS.
"By relying on well-established and proven industry-standards such as WS-Security and SAML, companies can securely expose Web services. However, implementing Web services security standards is only part of the solution," said Netegrity product manager Marc Chanliau in a statement. "Web services security should be a shared service piece of an enterprise's overall security solution, not an isolated island of security."
In addition to specifying how SOAP messages should be encrypted and decrypted, WS-Security also details authorization requirements and access privileges between applications, enterprises, suppliers and customers.
Now that developers have a working, ratified spec, vendors may accelerate their use of WS-Security in their products.
"Vendors have already been building WS-Security products for a while now. They don't want to wait [for ratification]," Bloomberg said. "Every time a specification goes through a revision like this, vendors have to adjust. This will signal the next phase, so to speak."
According to OASIS, WS-Security is comprised of three main components: security token propagation, message integrity and message confidentiality. These can be used independently or in different combinations, for example signing and encrypting a message and providing a token associated with the keys.