Microsoft and IBM moved one step closer to turning their security specification into a standard on Tuesday.
Clearing a significant hurdle for the WS-Security standard to gain recognition as a trusted means for applying security to Web services, standards body OASIS (Organization for the Advancement of Structure Information Standards) formed a technical committee to give vendors a crack at the immature specification.
First published in April as part of a working partnership between Microsoft, IBM, and VeriSign Inc., the WS-Security specification defines a standard set of SOAP extensions, or message headers, which can be used to set and unify multiple security models, mechanisms, and technology -- such as encryption and digital signatures for instance -- onto Web services applications which traverse the Internet.
Aside from an initial WS-Security road map, the trio also proposed specifications yet to come that address a variety of other security, policy, messaging, and trust issues associated with Web services security. They include WS-Policy, WS-Trust, WS-Privacy, WS-Secure Conversation, WS-Federation, and WS-Authorization.
The first meeting of the technical committee is slated be held the first week of September and hosted by Sun Microsystems, said officials of the Billerica, Mass.-based OASIS standards consortium in a statement on Tuesday.
"We are encouraged to see Microsoft and IBM contributing their specification under royalty-free terms to OASIS," said Bill Smith, director of Liberty Alliance Technology at Palo Alto, Calif.-based Sun Microsystems in a statement. "It will now be possible for the community to evaluate and build upon this technology out in the open."
Largely due to its reluctance to join the IT and vertical vendor-led Liberty Alliance Consortium and its mission to create a standard for federating identities online up until last week, Microsoft has been criticized by many in the past for a perceived heavy proprietary leaning toward Web services security. The Redmond, Wash.-based software behemoth, however, is slowly warming up to open-source efforts at the behest of some very large financial and corporate customers unwilling to be squeezed out of any standards that emerge, said John Pescatore, vice president and research director of network security at Stamford, Conn.-based Gartner.
"In the financial world, big banks and credit card vendors have been very aggressive; they don't want proprietary control. In a lot of large enterprises, United and people of that ilk have been part of the Liberty committee. That's been the mechanism -- where they've been big buyers of Microsoft technology and are telling Microsoft 'we want these two [standards] to work together,'" Pescatore said. "But I think we need to see that pressure ratchet up here."
From the non-Microsoft side, Pescatore said it is not surprising that vendors such as Sun and other Liberty members pursued OASIS WS-Security technical committee membership due to vested interests and plugging particular holes the Liberty Alliance specification 1.0 is not designed to answer.
"WS-Security is technologically neutral and really needed. Sun and Liberty have to make sure that WS-Security stays open and they're onboard. I think this is why you see them trying to leap on here ... it's a reactive mode," he added.
Pescatore contends that the true vendor "battle" over specifications will arrive after the other WS-Security road map, or "undefined layers," begin to be revealed. He said the overly complex remaining layers could lead IBM and Microsoft to lean too much toward .Net and Kerberos.
The WS-Security specification will be engaged and advanced by BEA Systems, Sun Microsystems, IBM, Fujitsu, Intel, SAP, Commerce One, webMethods, TIBCO, IONA, Novell, Oblix, VeriSign, Blockade Systems, OpenNetwork, XML Global, Perficient, Documentum, SeeBeyond, Sonic Software, as well as other OASIS members.