Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Cisco all but kills Cius tablet computer
Windows 8 Update: Steve Ballmer's 80-inch Windows 8 tablet
Gartner: Don't trust cloud provider to protect your corporate assets
Take me out to the ballgame, with 4G
Most OpenOffice users run Windows
Smartphones with quad-core chips and 4G LTE coming soon
Government alarm over cyberattacks validated by terrorists
Lawmakers call on DOJ to reopen investigation into Google Wi-Fi spying
Researchers propose TLS extension to detect rogue SSL certificates
IaaS: Renting on-demand technology
Yahoo Axis may be game changer for search and the troubled company
Android, Apple Own 80% of Global Smartphone Market; Microsoft's Share, 2.2%
Managing Mobile Mania
Proposed New York Legislation Would Ban Anonymous Online Comments
Supercomputer to connect to 400PB of storage via Ethernet
/

IBM, Microsoft, VeriSign team on Web-services security

Today's breaking news
Send to a friendFeedback

By John Fontana
Network World Fusion, 04/11/02

IBM, Microsoft and VeriSign today published a Web services security specification they hope will fill what has become the most glaring hole in the nascent technology.

Making the announcement at Microsoft's annual Tech Ed conference, the three companies said the specification called WS-Security outlines how to integrate disparate security systems such as Kerberos or Public Key Infrastructure using a set of extensions to the Simple Object Access Protocol (SOAP). The initial specification includes two base extensions and the trio plans to develop six others.

In essence, WS-Security will allow Web services to pass secure and signed messages, a process that today requires a patchwork of proprietary technology.

Web services are a collection of standard protocols based on XML that can be used to integrate disparate applications and back-end systems.

"What SOAP did for Web services two years ago is the same thing this specification will do for Web services security," says Bob Sutor, director for e-business standards strategy at IBM. SOAP, a standard for transporting XML documents, has become a cornerstone of Web services protocols.

"This goes a long way toward solving security. It's a set of components so you can build the level of security that you need."

This is the third time a security specification for Web services has been proposed. In January of 2001 IBM and Microsoft submitted for discussion a recommendation called SOAP Security to the World Wide Web consortium. In October, Microsoft as part of an effort called Global XML Web Services Architecture (GXA), announced it was working on four XML protocols, including one called WS-Security.

This most current work is the culmination of the previous efforts, according to Microsoft officials.

This time the specification, jointly authored by the trio of vendors, will be formally submitted to a yet-to-be-determined standards body following a public review period of up to four months. WS-Security is made up of two base extensions - encryption and message integrity, which can flag a SOAP message that has been altered during transport.

The trio also proposed a roadmap for the evolution of Web services security, called "Security in a Web Services World" that details six other security extensions built on the WS-Security foundation for such functions as expressing security policies, trust relationships, federation and authorization.

All three companies, which published the specification on their Web sites today, say WS-Security is the missing link that will let companies securely use Web services outside a firewall. Security has become the Achilles' heel to adoption of Web services for use in business-to-business electronic commerce.

But security isn't the only issue to be solved. Standards also are needed for reliable and asynchronous messaging, business-process workflow, and transactional integrity.

But security is the first step in delivering the other standards, the companies say.

The publication of the security specification follows on the heels of IBM and Microsoft's recent creation of the Web Services Interoperability Organization (WS-I), which is charged with promoting interoperable implementations of Web services protocols. The group is scheduled to hold its first meeting next week.

"We will try to get the WS-I to add WS-Security to its agenda," says Steven VanRoekel, director of Web services marketing for Microsoft.

The trio also hopes to garner support from other leading vendors, including Sun Microsystems, Oracle and BEA Systems. Those vendors along with IBM, Microsoft and VeriSign are already partners in VeriSign's Digital Trust Services Framework for building trust Web services, which was announced in February.

"Hopefully this will be the first real specification to plug into that framework," says Marcie Verdin, director of enterprise marketing for VeriSign.

Verdin hopes the six extensions proposed in the Web services roadmap also will fit under that umbrella.

Those extensions are:

  • WS-Policy, which would be used for expressing security policies.
  • WS-Trust, a model for direct and brokered trust relationships.
  • WS-Privacy, which would define and implement privacy practices.
  • WS-Secure Conversation, which would manage and authenticate message exchanges.
  • WS-Federation, which would be used to manage and broker trust relationships in a heterogeneous federated environment.
  • WS-Authorization, which would define how to manage authorization data and policies.

    "The entire program of extensions will take 12 to 18 months to get standardized specs," says IBM's Sutor. "We will start to roll our drafts of those specifications over the next couple of months. IBM plans to support WS-Security in its Web Services Toolkit that will go up on its AlphaWorks Web site this week. Microsoft is adding support into the Web services tools it makes available on its Microsoft Developer Network, and VeriSign plans to add WS-Security tools to its XML TrustCenter Web site.

    • RELATED LINKS

    Contact Senior Editor John Fontana

    Other recent articles by Fontana

    Error 404--Not Found

    Error 404--Not Found

    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

    10.4.5 404 Not Found

    The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

    If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.

    Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

    Get Copyright Clearance
    Request a reprint or permission to use this article.


    NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
    Click here to sign up!
    New Event - WANs: Optimizing Your Network Now.
    Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
    Attend FREE
    Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.