WS-Security specs make their debut

Holding true to its self-anointed mission to enable secure Web services between applications, organizations, and end-users, IBM Corp. and Microsoft Corp. joined a few partners on Tuesday to announce the publishing of the first in a set of planned WS-Security specifications.

With assistance from VeriSign Inc., BEA Systems Inc., and RSA Security Inc., the new specifications focus specifically on business policy and security as the first salvo in implementing WS-Security.

Announced in April, WS-Security serves as a documented model of Web services capabilities for tackling potential roadblocks of the technology, including reliable messaging, security transactions, discovery, and orchestration, noted Scott Collison, director of Web services marketing, for Redmond, Wash.-based Microsoft.

The specifications unveiled on Tuesday include WS-Policy, WS-Trust, and WS-SecureConversation, also joined by WS-SecurityPolicy, WS-PolicyAttachments, and WS-PolicyAssertions.

“We are getting broad consensus on these specifications, and it is our full intention to implement these specifications so that our customers get what they want in the areas of Web services,” said Collison. “The other part is doing some things around policies so that businesses implementing Web services have more control over how they express policies to their partners and customers who want to interact with them.”

For policy concerns, WS-Security designers wanted to create a generic policy framework in addition to the ability to express security policy. These components comprise WS-Policy. The specification WS-Policy Attachments describes how a policy is attached either to an instance of a Web service or to the Web services as a whole. For example, a policy might only be available to end-users with a certain credit rating or people who would use a particular security token.

WS-Trust allows a Web service to communicate within an environment regardless of the type of security server that exists in a common way, for instance establishing communications between a Kerberos server and a PKI server.

Lastly, WS-SecureConversation enables users to set up a “secure context” and eliminate re-authentication for each request or message made after gaining initial access to a Web service.

Although he expressed surprise that WS-Security designers decided to delay addressing any sort of privacy as part of the first specification roll-out, Jason Bloomberg, senior analyst for Waltham, Mass.-based ZapThink, said Tuesday’s announcement is nonetheless important due to the continued cooperation of major IT vendors to follow up promises of standardizing WS-Security.

“Now customers get to review the specifications and give feedback and vendors have to build tools, so IBM and Microsoft will be rolling out [WS-Security] tools,” said Bloomberg. “Once the standard moves along and [the] specification becomes a standard, then you’ll find multiple vendors using WS-Security-compliant products. By no means do IBM and Microsoft have a lock on this.”