Q&A: VeriSign's Phillip Hallam-Baker on Web services security
Computerworld - BOSTON -- IT professionals should wait for the Web Services Security specification to be finalized and implemented before they start building sophisticated Web services that extend beyond their company's firewalls, according to the specification's co-author.
Phillip Hallam-Baker, principal scientist at Mountain View, Calif.-based VeriSign Inc., said it could take between six months and two years to nail down the WS-Security specification that he helped to write. Hallam-Baker spoke with Computerworld's Carol Sliwa about the state of Web services security during this week's XML Web Services One Conference here.
The WS-Security specification was announced in April by IBM, Microsoft Corp. and VeriSign and was turned over to the Organization for the Advancement of Structured Information Standards (OASIS). A technical committee working to advance WS-Security will hold its first face-to-face meeting next week.
Hallam-Baker was also senior author of the XML Key Management Specification (XKMS), and he served as editor of the Security Assertion Markup Language core schema and protocol specification. Here's what he had to say.
Phillip Hallam-Baker, principal scientist at VeriSign Inc.
A: Phase 1 of the Web was the human interacting with computer. And that's how we defined it at CERN. All the time we were thinking about human users talking to machines. We did do some work on machine-to-machine, but that was not what HTTP was optimized for.
What Web services are about is machine-to-machine communication. The base technology is XML and XML schema. If we want to narrow it to what types of Web service specifications are you going to be most interested in supporting -- obviously SOAP [Simple Object Access Protocol], WS-Security, XKMS.
Q: You said that users can build basic Web services today. When do you predict they'll be able to develop more sophisticated Web services?
A: I would look at it saying, first of all, don't look at Web services. Look at functionality. ... Look at the applications that meet that functionality. If there is a standard out there already and it's fine, then use it. If there isn't and you're looking to form some sort of group to build that type of functionality, then the platform to look at is Web services, because it's definitely where you'll get more programmer support, the most platform vendor support and all that great stuff.
Q: What events will need to happen for IT professionals to be able to start thinking about doing more sophisticated Web services that traverse firewalls?
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...