Web services security spec approved

The specification that will serve as the foundation for building security into Web services was officially ratified as a standard last week, paving the way for widespread corporate adoption.

The full membership of the Organization for the Advancement of Structured Information Standards (OASIS) gave final approval to Web Services Security: Simple Object Access Protocol (SOAP) Message Security 1.0 was approved just less than two years after Microsoft, IBM and VeriSign jointly submitted it.

Included in the ratification were two authentication profiles that work under WS-Security, the Username Token Profile 1.0 and the X.509 Token Profile 1.0. Additional authentication profiles are under development within the OASIS Web Services Security Technical Committee, including profiles for Kerberos, the Security Assertion Markup Language and mobile devices.

In its most basic form, WS-Security lets Web services pass secure and signed messages. Security information is exchanged using extensions added to the headers of those messages, which are based on SOAP.

“WS-Security is essential for securing a Web services environment,” says James Kobielus, an analyst with Burton Group. “It is central to the core of standards everyone is implementing, including XML, SOAP, [Web Services Definition Language]. Its ratification is no surprise to anyone, given the impressive amount of existing support and implementation.”

Major vendors that already support WS-Security include BEA Systems, Computer Associates, HP, IBM, Microsoft, Novell, SAP and Sun.

The WS-Security specification also might help foster a single federated identity standard. Efforts from the Liberty Alliance and a group led by Microsoft and IBM have incorporated WS-Security into their federated identity specifications.

“Approval as an OASIS standard adds a level of acceptance for adoption in the marketplace,” says Patrick Gannon, CEO of OASIS. “We’ve seen a reluctance by end users to invest in moving targets. They want stability so they can reap ROI. Ratification is an important step to allow companies and governments to reference this standard specification in their projects.”

WS-Security, however, is not the end of the line. The specification is seen as the linchpin to create simple message security all the way up to federated security that cuts across corporate boundaries.

Microsoft, IBM and various partners still are working on companion specifications that rely on WS-Security as a foundation for other security services for Web services (see graphic). All are in development, but none has been approved as a standard.

WS-Security is only one piece of the Web services standards puzzle. A handful of other specifications are under development by OASIS, the World Wide Web Consortium and groups of independent vendors, including specifications for reliable messaging, process workflow, choreography and management. Experts say the group of standards is needed to convince corporate users that they can use Web services to build Web-based distributed applications.