WS-Security, the core security specification that enables interoperability between other Web services security
standards and security protocols, was ratified yesterday as a standard by OASIS.
The specification was passed 77-1 with 22% of the OASIS WS-Security technical committee voting. The lone dissenting vote was cast by Hitachi executive Yutaka Kudo who clarified that he did not intend to hold up passage of the specification, but wanted to point out a problem with the Universal Resource Identifiers (URI) in the document. The issue will be addressed and fixes incorporated in upcoming versions.
"This standard is quite an important step," said ZapThink LLC senior analyst Jason Bloomberg. "This is a key security standard in the Web Services series [of specs]. Ratification of this as a standard is important to the ability of enterprises to use the standard."
Security has long been considered a roadblock to widespread Web services adoption. Web services, essentially application-to-application communication, rely on secure message transmissions. Standards like WS-Security, SAML and others detail the encryption, authorization and access technologies and policies used by these messages.
"WS-Security handles the interoperability of the different security specifications," Bloomberg said. "It's like a level of abstraction above Kerberos, PKI, SSL and others."
WS-Security supports multiple security tokens, trust domains, signature formats and encryption technologies, according to OASIS.
"By relying on well-established and proven industry-standards such as WS-Security and SAML, companies can securely expose Web services. However, implementing Web services security standards is only part of the solution," said Netegrity product manager Marc Chanliau in a statement. "Web services security should be a shared service piece of an enterprise's overall security solution, not an isolated island of security."
In addition to specifying how SOAP messages should be encrypted and decrypted, WS-Security also details authorization requirements and access privileges between applications, enterprises, suppliers and customers.
Now that developers have a working, ratified spec, vendors may accelerate their use of WS-Security in their products.
"Vendors have already been building WS-Security products for a while now. They don't want to wait [for ratification]," Bloomberg said. "Every time a specification goes through a revision like this, vendors have to adjust. This will signal the next phase, so to speak."
According to OASIS, WS-Security is comprised of three main components: security token propagation, message integrity and message confidentiality. These can be used independently or in different combinations, for example signing and encrypting a message and providing a token associated with the keys.