Web services security specs hit the standards track

By Michael Meehan, News Writer 26 Oct 2005 | SearchWebServices.com

News on SOA, EAI, Web services Digg This!     StumbleUpon     Del.icio.us

After years of development three key Web services security standards have finally made their way into the OASIS standards body, paving the way for master security policies and shared credentials in the service-oriented world.

The first meeting of the OASIS Web Services Secure Exchange (WS-SX) Technical Committee is set for early December and the WS-Trust, WS-SecureConversation and WS-SecurityPolicy specifications will be up for review. Kelvin Lawrence, chief technology officer for emerging Internet software standards for IBM, will co-chair the committee after having shepherded the specifications along through their early development.

It's kind of scary because people are trying to figure out how to build this infrastructure and the textbook's being written right now. Miko Matsumura Vice President for Techonology Standards, Infravio Inc.

"Once you begin to share credentials and engage in extended conversations, it gets you that next step toward being more dynamic," he said.

No specific timetable has been set for when the specifications will be ratified, but Lawrence noted the initial WS-Security standard took 18 months to make the journey from submission to standard.

"And that was fairly fast," he said.

WS-Trust establishes an XML syntax for managing credentials across secure domains. WS-SecureConversation will allow people to enter into multiple message conversations without having to go back to square one on the security checklist with each new message. WS-SecurityPolicy defines a general set of overarching security policies that can be associated with a Web service.

"The fact that we're getting them into the official standards process is enormously encouraging," said Andrew Nash, chief technology officer at Reactivity Inc., who co-authored the specifications. "This is critical infrastructure for Web services and service-oriented architectures."

In advance of the standards, Reactivity recently released an XML security gateway that performs some of the identity mapping between different credential formats that eventually will become the domain of WS-Trust. Lawrence said that he expects IBM's Tivoli and WebSphere product lines to feature some of the WS-SX functionality in advance of full ratification as well.

"We're trying to get stuff out so that people can use it," he said.

Miko Matsumura, vice president for technology standards at Infravio Inc., noted that customer demand for secure Web services tools has risen to the level where vendors have to get ahead of the standards work.

"It's kind of scary because people are trying to figure out how to build this infrastructure and the textbook's being written right now," he said. "It doesn't exist yet."

However, vendors are building to the proposed specifications, which have been up on IBM's developerWorks site for quite some time, which should minimize the amount of proprietary technology inside current toolsets. Ultimately, the goal of the WS-SX standards is to create a universal security system that can be linked to Web services and changed without having to change the code of the services themselves.

"You're trying to make the runtime environment even smarter," Matsumura said.

For more information Catch up on the latest news about Web services transactions specifications Learn more about Web services standards

He added that these specifications should not be viewed as new technology that customers will have to learn in order to build an SOA.

"End users should only see these things as ingredients of products they will buy," Matsumura said. "They should never have to work with all these specifications themselves."

The main specification still missing from the WS-SX grouping is WS-Federation, which will provide security across multiple domains that do not share a single identity manager. Lawrence has estimated that standard won't start its standards body life for another year, but Nash would like to see it enter sooner.

"It becomes harder and harder to deal with federation the longer it stays out of the standards bodies," he said. "Ideally this would be worked in with the other standards."

Tags: Service-oriented architecture (SOA) education,  WS-SX,  Standards,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web services security specifications The case against WS-Security SOA governance, security concerns drive XACML interop OASIS begins work on WS-Federation Web 2.0 lacks the business impact of SOA, Burton warns New BizTalk Services rolling out Malicious JavaScript threat seen growing Will acquisitions stifle SOA innovation? Web services security standards approved WS-Policy on SOA fast track, W3C approval this summer Web services and SOA security standard released Service-oriented architecture (SOA) education SOA Manifesto urges both agility and business focus SOA skills, slings and arrows Playbook for the SOA Red Zone Win SOA Design Patterns book Take part in SearchSOA.com survey. Help define the state of SOA. New year – same old SOA tempests? The annals of SOA Talk Software architects navigate transitions Ten ways to identify services Analysts, users find roadblocks along the SOA highway Service-oriented architecture (SOA) education Research WS-SX Web Service Test Forum launched by vendors Burton: WS-* specs good, but SOA security needs more WS-Trust goes Ping An emerging XML Web services security infrastructure New security standards seek to establish trust Standards, tools vital to Web services security XML Security Tutorial Giants pressured to submit Web services specs to OASIS Determining from WSDL if a Web service supports XML signature Support for XML Signature/encryption

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary WS-SecureConversation  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary