• United States

Web services security spec approved

Apr 26, 20043 mins
NetworkingWeb Development

The specification that will serve as the foundation for building security into Web services was officially ratified as a standard last week, paving the way for widespread corporate adoption.

The full membership of the Organization for the Advancement of Structured Information Standards (OASIS) gave final approval to Web Services Security: Simple Object Access Protocol (SOAP) Message Security 1.0 was approved just less than two years after Microsoft, IBM and VeriSign jointly submitted it.

Included in the ratification were two authentication profiles that work under WS-Security, the Username Token Profile 1.0 and the X.509 Token Profile 1.0. Additional authentication profiles are under development within the OASIS Web Services Security Technical Committee, including profiles for Kerberos, the Security Assertion Markup Language and mobile devices.

In its most basic form, WS-Security lets Web services pass secure and signed messages. Security information is exchanged using extensions added to the headers of those messages, which are based on SOAP.

“WS-Security is essential for securing a Web services environment,” says James Kobielus, an analyst with Burton Group. “It is central to the core of standards everyone is implementing, including XML, SOAP, [Web Services Definition Language]. Its ratification is no surprise to anyone, given the impressive amount of existing support and implementation.”

Major vendors that already support WS-Security include BEA Systems, Computer Associates, HP, IBM, Microsoft, Novell, SAP and Sun.

The WS-Security specification also might help foster a single federated identity standard. Efforts from the Liberty Alliance and a group led by Microsoft and IBM have incorporated WS-Security into their federated identity specifications.

“Approval as an OASIS standard adds a level of acceptance for adoption in the marketplace,” says Patrick Gannon, CEO of OASIS. “We’ve seen a reluctance by end users to invest in moving targets. They want stability so they can reap ROI. Ratification is an important step to allow companies and governments to reference this standard specification in their projects.”

WS-Security, however, is not the end of the line. The specification is seen as the linchpin to create simple message security all the way up to federated security that cuts across corporate boundaries.

Microsoft, IBM and various partners still are working on companion specifications that rely on WS-Security as a foundation for other security services for Web services (see graphic). All are in development, but none has been approved as a standard.

WS-Security is only one piece of the Web services standards puzzle. A handful of other specifications are under development by OASIS, the World Wide Web Consortium and groups of independent vendors, including specifications for reliable messaging, process workflow, choreography and management. Experts say the group of standards is needed to convince corporate users that they can use Web services to build Web-based distributed applications.

Building blocks

The Web Services Security specification (WS-Security) is the foundation for a set of protocols designed as building blocks for creating security around Web services applications. While none has been submitted to a standards body, IBM and Microsoft have said they will be made available royalty-free.
Protocol Description Status
WS-PolicyDefines how to express the capabilities and constraints of security policies.Under IBM, Microsoft control
WS-TrustDescribes model for establishing direct and brokered trust relationships.Under IBM, Microsoft control
WS-PrivacyDefines how Web services state and implement privacy practices.Not published
WS-Secure ConversationDescribes how to manage and authenticate message exchanges between parties, including establishing and deriving session keys.Under IBM, Microsoft control
WS-FederationDescribes how to manage and broker trust relationships in a heterogeneous federated environment.Under IBM, Microsoft control
WS-AuthorizationDefines how Web services manage authorization data and policies.Not published