Skip the navigation

Sorting out Web services security standards

By Rich Salz, DataPower
February 3, 2005 12:00 PM ET

Computerworld - One of the most active parts of the XML Web services community is the groups developing security standards.
Today, we have more than 40 security standards in various stages of specification at several different organizations, as well as various implementations in similar states of completion and conformance.
On the one hand, this is good news, because good security is crucial to the widespread adoption of XML Web services. One of the expected benefits of XML Web services is a more direct connection between back-office systems and a larger group of potential customers by providing a common set of "Web middleware" that removes barriers to connecting. In order for this to happen without undue risk, security standards are needed that can provide assurances about identity, message content and data protection.
On the other hand, the number of security-related specifications (not to mention their page count!) can overwhelm all but a vast team of the most dedicated architects or developers. This article provides a road map to help you pick your way through the major players and the specs they're writing.
It's helpful to view the development of Web services security standards as a pipeline with three parts: initial development, standardization and profiling.

Initial development
The initial development stage tends to be led by vendor-driven organizations. Two of the most important ones are the WS-Workshop headed up by IBM and Microsoft, and the Liberty Alliance, which has more of a mix of vendors and customers.
The goal of the WS-Workshop effort is to define a SOAP-based infrastructure for secure, distributed transactions over the network. The first few dozen specifications were by Microsoft, IBM and BEA, leading some to call this the "Men In Black" (MIB) group. The process is much more open these days, although participants must sign a nondisclosure agreement so that early results aren't disclosed prematurely. They must also promise not to "taint" the process with any intellectual property that could prevent royalty-free implementations.
The WS-Workshop efforts seem to be standards-body-neutral. For example, WS-Security has been an OASIS activity for some time, while WS-Addressing just started at the World Wide Web Consortium (W3C).
But the workshop members aren't above political infighting. When the Liberty Alliance turned over its specifications to OASIS, and the SAML group picked up the "federated identity server" concept and added it to SAML 2.0, there was an effort to declare it out of scope, because it conflicted with a more general federation concept in the WS-Federation workshop specification.
The Liberty Alliance is working on Web- and XML-based federated identity. That is, trusted peers vouchsafe the originating



Our Commenting Policies