Microsoft, IBM offer WS-Security spec to OASIS - TechUpdate

Tech Update

Microsoft, IBM offer WS-Security spec to OASIS
By Eric Knorr
June 27, 2002

Add your opinion

Forward in

Format for

Today is a watershed day for Web services.

Microsoft, IBM, and VeriSign have submitted WS-Security, a group of Web services security specs first announced last April, to the OASIS standards group. The growing list of all-star players that have already agreed to serve on the OASIS technical committee includes BEA, Cisco, Intel, Iona, Novell, RSA, SAP, and--drum roll, please--Sun Microsystems.

For those who've watched the promise of Web services falter in the face of the often vitriolic Microsoft-Sun rivalry, the news couldn't be more welcome. Bill Smith, Sun's director of Liberty Alliance technology (and a past president of OASIS) sees the decision to submit WS-Security to OASIS as an unmistakable olive branch from Microsoft. "We were surprised and very pleased that we were approached to participate," he says. "You can expect to see us engaged very heavily."

Just as important as the players involved, however, is the decision by Microsoft, IBM, and VeriSign to ensure WS-Security will be royalty-free. Explicitly, no party will be able to collect licensing fees from the use of WS-Security, a stipulation that Smith told me was a prerequisite for Sun's participation. He believes the proposed royalty-free license is "sufficient in all regards. Had they not done that, we would not have participated."

"I hope you see from the list of participating companies that this is meant to be an industry-inclusive type of activity," stresses Bob Sutor, IBM's director of e-business standards strategy. However, Sutor downplays the political implications of choosing OASIS, arguing that the standards organization was selected mainly for its history of evangelizing XML directly to business users. But it's hard to imagine a stronger message to the industry that the Web services "movement," as IBM likes to call it, is determined to rise above petty differences.

And what about the good old W3C? Previously, Microsoft and IBM submitted the basic Web services protocols, SOAP and WSDL, to the W3C for approval. Steven VanRoekel, director of Web services technical marketing for Microsoft, is careful to note that "this is not a departure from the W3C in any way," contending that the W3C will almost certainly be on the receiving end of other Microsoft standards proposals--and that OASIS' previous security work simply made it a more appropriate choice this time around.

OASIS' foremost security effort has been the Security Assertion Markup Language (SAML), which provides an XML framework for exchanging authentication and authorization credentials. According to Phillip Hallam-Baker, principal scientist for VeriSign, one of the key goals of the technical committee will be to determine exactly how WS-Security and SAML interact. When Hallam-Baker was involved in writing SAML, he says, it was understood another spec would need to spell out the confidentiality and integrity checks required for Web services messages. "There was kind of a hole in the spec where we said, 'Put WS-Security here,' although we didn't have the name yet."

According to Sutor, another message sent by WS-Security's choice of OASIS was to quell speculation once and for all that the Web Services Interoperability (WS-I) organization will go beyond its current charter--fostering Web services compatibility across tools and platforms--to becoming a standards organization itself. "The WS-I is about interoperability," he says. "There's been confusion generated--I don't know why--about whether it's doing standards or not, but we've always said it's not. They've been very busy working on the interoperability of the basic things. I would hope and expect that at a later date they start looking at WS-Security."

Hope seems to be the operative word. Sutor, VanRoekel, and Hallam-Baker all assert that the threat of debilitating conflict over Web services standards has been more perception than reality. But things have come a long way since, only a couple of months ago, Microsoft .Net group product manager John Montgomery snarled in my ear: "I should be really clear: OASIS is not doing Web services." Today's announcement isn't exactly world peace. But it's a big step down the road toward Web services' future vision, where a new breed of Internet-based applications can rely on secure, machine-to-machine communications anytime, anywhere.

Does agreement on a security framework heighten your interest in Web services development? Or do you still plan to wait and see? E-mail Eric or TalkBack below.

Stay focused: Sign up for Tech Update Today, the daily e-mail newsletter for those who need to know.

TECH UPDATE TODAY DAILY:
Dan Farber and David Berlind deliver daily insights on the business and technology news that matters to enterprise IT.

	Enterprise Alerts
	Surveys
	Computers: Desktops & Laptops
	IT Management
	Security
	IT Professionals

Manage My Newsletters

Help | Advertisements | Feedback | Reprints | Newsletters

New site: Monitor all the tech news at Technology.Updates.com

CNET.com | CNET Download.com | CNET News.com | CNET Reviews | CNET Shopper.com

About CNET Networks