IBM, Microsoft develop Web services security protocol

Network World - SAN DIEGO -- IBM and Microsoft Corp. are set to turn over to a standards body a key set of Web services security specifications they have been developing for establishing trust and exchanging data between partners.
In September, the pair will submit WS-Trust, WS-SecureConversation and WS-SecurityPolicy to the Organization for the Advancement of Structured Information Standards (OASIS), which will create a technical committee to develop the specifications into a standard. The two made the official announcement today at the annual Burton Group Catalyst conference.
The most significant specification of the trio is WS-Trust, which establishes a single path for moving between partners security information and security tokens of all kinds, including Kerberos, X.509, the Security Assertion Markup Language (SAML) and any others.
"This is major progress for interoperability," says Jamie Lewis, president of the Burton Group. "WS-Trust is a general-purpose token exchange protocol and a significant piece of the puzzle for an interoperable infrastructure to exchange security information of all kinds."
Lewis says WS-Trust can be used to exchange authentication and federation assertions and could be used in provisioning systems.
WS-Trust also is an important element in Microsoft's model of a standards-based distributed identity infrastructure it calls the Identity Metasystem, which it introduced in May. WS-Trust also is the cornerstone for InfoCard, an interface into user identity information that Microsoft is building into its Longhorn operating system.
The specifications are part of the set of protocols that fall under the WS-Security or so-called WS-* (pronounced "WS-Star") family of protocols that Microsoft and IBM began developing in 2002. Slowly the protocols have been transferred to standards bodies, including OASIS and the W3C.
Two significant protocols still remain to be turned over, WS-Federation and WS-Policy.
Microsoft and IBM say that will happen but have yet to provide a timetable. The two have been under significant pressure from end users and industry experts to submit the remaining specifications to help quicken the pace of standardizing the infrastructure for securing Web services.
WS-Policy appears to be the next protocol that will be submitted. Last October, IBM and Microsoft presented a workshop on WS-Policy to the W3C. The prime motivating factor, however, is that Microsoft relies on WS-Policy for its InfoCard technology.
And while Microsoft is preaching that InfoCard, which is approaching its first beta release this fall, will be a standards-based system, WS-Policy remains the only significant protocol that is not in a standards body.
"WS-Policy will be in a standards organization by the end of the year," says Anne Thomas Manes, research director for

Reprinted with permission from

For more information about enterprise networking, go to NetworkWorld.com
Story copyright 2009 Network World, Inc. All rights reserved.