New Web services standards proposed

Microsoft Corp., IBM Corp. and VeriSign Inc. on April 12 announced a joint effort to craft new standards for addressing security concerns that many corporate users have raised about Web services.

Web services aim to help companies link their applications to the often disparate systems of their partners and customers through XML-based messages sent via the Simple Object Access Protocol (SOAP). But few companies have been rushing to build Web services, and one of their oft-cited concerns has been the lack of a solid security model.

Officials from Microsoft, IBM and Mountain View, Calif.-based VeriSign said they hope the new specification they have co-authored, called WS-Security, will serve as a starting point for tackling the problem. WS-Security, in part, calls for support of World Wide Web Consortium standards for XML message encryption and digital signatures. The specification also serves as the foundation for a broader road map of additional security standards that the vendors plan to work on with other industry participants.

“You have to start somewhere,” said Bob Sutor, IBM’s director for e-business standards strategy. “This is our intellectual contribution to get this started.”

John Meyer, an analyst at Cambridge, Mass.-based Giga Information Group Inc., said the move represents a logical step for Microsoft, IBM and VeriSign. But he noted that some security issues the group may address potentially could put them in conflict with security efforts from rival vendors, such as Sun Microsystems Inc.

“People are going to have to look at how flexible and open the [WS-Security] specification is,” Meyer said.

The road map published by IBM and Microsoft defines additional standards they intend to pursue and turn over to appropriate standards bodies at a later date. Those include: WS-Policy, for defining capabilities and constraints in security policies; WS-Trust, for establishing direct and brokered relationships; WS-Privacy, for implementing privacy practices; WS-Secure Conversation, for managing and authenticating message exchanges; WS-Federation, for managing and brokering trust relationships in heterogeneous environments that use different security models; and WS-Authorization, for defining how Web services manage authorization data and policies.

Steven VanRoekel, director of Web services marketing at Microsoft, said he expects those additional specifications will be completed within 12 to 18 months. IBM’s Sutor asserted that the group will be “inclusive,” and he said he welcomes the input of other industry players.

The WS-Security effort marks a continuation of work between IBM and Microsoft to develop Web services standards, such as SOAP and Universal Description, Discovery and Integration (UDDI). They’re also spearheading a WS-Interoperability group that promotes Web services interoperability across platforms, operating systems and programming languages.

Their WS-Security effort has taken the same name as an initiative announced last year by Microsoft. But VanRoekel said the new joint effort is more comprehensive than Microsoft’s past attempt to push forward security standards.