Microsoft, IBM identity plan criticized

Sun, Oracle, Nokia and France Telecom among those objecting

By John Fontana , Network World , 05/02/2007

Share/Email
Tweet This
Comment
Print

A protocol developed by IBM and Microsoft for standardizing the sharing of user identities between companies was turned over to a standards body on Wednesday amid controversy that it overlaps with similar protocols already recognized as standards.

The Organization for the Advancement of Structured Information Standards (OASIS) says it has created a committee to guide Web Services Federation Language (WS-Federation) version 1.1 through the standards process.

Cisco : Download now

Procotol work stirs controversy
The Organization for the Advancement of Structured Information Standards (OASIS) has agreed to put Web Services Federation Language (WS-Federation) on a standards track, but critics say it overlaps work already done in the Security Assertion Markup Language (SAML) 2.0.

April 2002	Microsoft, IBM, VeriSign proposed WS-Federation as one part of larger Web Service Security architecture.
July 2003	WS-Federation 1.0 published.
March 2005	SAML 2.0 specification approved by OASIS.
May 2005	Burton Group report highlights benefits of converging browser-based federation models in SAML 2.0 and WS-Federation.
December 2006	WS-Federation 1.1 published.
March 2007	OASIS proposes charter for WS-Federation technical committee.
April 2007	Critics air objections to OASIS charter, including Nokia, France Telecom, NTT, Sun and Oracle.
May 2007	WS-Federation technical committee launched.

Click to see: Protocol work stirs controversy

The protocol, one of many in the WS-* stack of security protocols, lets companies share identities and security tokens. IBM and Microsoft developed WS-Federation in 2002 along with a number of other proprietary Web Services protocols using the “WS” naming convention. Many, such as WS-Trust, has been turned over to standards bodies, but others, such as WS-Transfer have not.

Related Content

The WS-Federation specification has dependencies on both those protocols in order to function properly.

Critics of the move to standardize WS-Federation say the protocol overlaps work already done by OASIS as part of the Security Assertion Markup Language (SAML) 2.0 specification, most notably browser-based federation as part of WS-Federation’s Passive Requestor Profile. SAML 2.0 was standardized by OASIS in 2005.

Those same critics also are concerned with WS-Federation’s dependency on protocols such as WS-Transfer that are not yet standards.

“With the proposed scope, it would appear that the inevitable result can only be unfortunate duplication of existing SAML 2.0 functionality, with the consequent complexity and cost eventually assumed by technology customers,” Paul Madsen of NTT's Information Sharing Platform Laboratory wrote in a comment to OASIS on the formation of the WS-Federation technical committee.

Sun, Oracle, Nokia and France Telecom also raised objections.

“There is some redundancy and overlap at this point that we think is a bit confusing to the marketplace and we would like to see that more clearly defined in the work of this new OASIS technical committee,” says Gerry Gebel, an analyst with the Burton Group. “They have the opportunity to address this issue because OASIS is the home of SAML. We have seen previously where SAML 1.x and Shibboleth and Liberty Alliance ID-FF came together under that umbrella.”