Fearful of fragmented security standards and implementation incompatibilities, one research group is putting pressure on Microsoft and IBM to submit their Web services security specifications to standards body OASIS.
The two computing giants are developing WS-* (WS star), an all-encompassing spec that addresses Web services security,
Using current OASIS standard WS-Security as its foundation, WS-* combines work being done on the WS-Policy, WS-Trust, WS-SecureConversation and WS-Federation specifications.
Burton Group analysts Dan Blum and Anne Thomas Manes wrote in a recent report that specs such as WS-Federation already overlap with features found in SAML and the Liberty Alliance. They urged Microsoft and IBM to submit WS-* to OASIS so that independent reviews and convergence with SAML and Liberty Alliance can begin.
"Customers and developers should consider implementing WS-Security over the coming months, factor the rest of WS-* into their long-term planning, and push Microsoft, IBM, their partners, and their competitors to work together constructively within OASIS," the report said.
The report said the WS-* process is moving slowly and requests from OASIS to work on WS-Trust, WS-Policy and WS-SecureConversation have been denied by Microsoft and IBM. OASIS was then left no choice but to proceed with work on SAML 2.0, which promises more federated identification capabilities, opening a bigger gap between WS-* and other specs.
Independent software vendors, meanwhile, are expected to bake in support for WS-Trust, WS-Policy and WS-SecureConversation before they are approved as standards, causing more incompatibility angst, the report said.
"If the standardization process for the higher-level specifications lags much longer, vendors may resort to building proprietary extensions to address current enterprise requirements, leading to fragmentation and vendor lock-in," the analysts wrote.
The report cautioned that Microsoft and IBM could benefit from usurping the standardization process if they issue products that support WS-*.
Microsoft and IBM have been leaders with other Web services specifications like SOAP, WSDL and UDDI that have been standardized by OASIS. Security was gaping hole in these specs that has been initially addressed by WS-Security and SAML.
WS-* is the next step in the security puzzle. It addresses authentication issues, primarily dealing with username/password, x.509 certificate, Kerberos, XrML and security token formats, Burton said.
The development process for WS-*, however, has been under thumb of Microsoft and IBM. Burton Group said other vendors were allowed to author or provide feedback on WS-*, but were also required to sign feedback agreements, "renouncing future intellectual property rights claims on the specifications and their comments about the specifications."
Some vendors who otherwise might have participated have declined because they were concerned Microsoft and IBM have too much control over the process, the report said.
" It will take considerable time to finish ambitious works such as WS-Trust, WS-Federation, and WS-Policy (in ascending order of complexity), still longer for formal standards acceptance, and even longer to work through the security implications of a complex, composable framework that introduces new risks and inter-dependencies," the report said. "It could take five years to completely specify, officially standardize, profile, security-review, and broadly deploy all important parts of the WS-* security specifications."