Web services security specs hit the standards track

By Michael Meehan, News Writer 27 Oct 2005 | SearchWebServices.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

After years of development three key Web services security standards have finally made their way into the OASIS standards body, paving the way for master security policies and shared credentials in the service-oriented world.

The first meeting of the OASIS Web Services Secure Exchange (WS-SX) Technical Committee is set for early December and the WS-Trust, WS-SecureConversation and WS-SecurityPolicy specifications will be up for review. Kelvin Lawrence, chief technology officer for emerging Internet software standards for IBM, will co-chair the committee after having shepherded the specifications along through their early development.

More on Web services Tackling security inside SOA XML Security Learning Guide

"Once you begin to share credentials and engage in extended conversations, it gets you that next step toward being more dynamic," he said.

No specific timetable has been set for when the specifications will be ratified, but Lawrence noted the initial WS-Security standard took 18 months to make the journey from submission to standard.

"And that was fairly fast," he said.

WS-Trust establishes an XML syntax for managing credentials across secure domains. WS-SecureConversation will allow people to enter into multiple message conversations without having to go back to square one on the security checklist with each new message. WS-SecurityPolicy defines a general set of overarching security policies that can be associated with a Web service.

"The fact that we're getting them into the official standards process is enormously encouraging," said Andrew Nash, chief technology officer at Reactivity Inc., who co-authored the specifications. "This is critical infrastructure for Web services and service-oriented architectures."

In advance of the standards, Reactivity recently released an XML security gateway that performs some of the identity mapping between different credential formats that eventually will become the domain of WS-Trust. Lawrence said that he expects IBM's Tivoli and WebSphere product lines to feature some of the WS-SX functionality in advance of full ratification as well.

"We're trying to get stuff out so that people can use it," he said.

Miko Matsumura, vice president for technology standards at Infravio Inc., noted that customer demand for secure Web services tools has risen to the level where vendors have to get ahead of the standards work.

"It's kind of scary because people are trying to figure out how to build this infrastructure and the textbook's being written right now," he said. "It doesn't exist yet."

It's kind of scary because people are trying to figure out how to build this infrastructure and the textbook's being written right now. Miko Matsumura Vice President for Techonology Standards, Infravio Inc.

However, vendors are building to the proposed specifications, which have been up on IBM's developerWorks site for quite some time, which should minimize the amount of proprietary technology inside current toolsets. Ultimately, the goal of the WS-SX standards is to create a universal security system that can be linked to Web services and changed without having to change the code of the services themselves.

"You're trying to make the runtime environment even smarter," Matsumura said.

He added that these specifications should not be viewed as new technology that customers will have to learn in order to build an SOA.

"End users should only see these things as ingredients of products they will buy," Matsumura said. "They should never have to work with all these specifications themselves."

The main specification still missing from the WS-SX grouping is WS-Federation, which will provide security across multiple domains that do not share a single identity manager. Lawrence has estimated that standard won't start its standards body life for another year, but Nash would like to see it enter sooner.

"It becomes harder and harder to deal with federation the longer it stays out of the standards bodies," he said. "Ideally this would be worked in with the other standards."

This news article originally appeared on SearchWebServices.com.

Tags: Web Services Security and SOA Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Services Security and SOA Security Security testing firm uncovers XML vulnerabilities Cryptographers say cloud computing can be secured Information security book excerpts and reviews Will cloud computing and virtualization save the day? MySpace, Facebook ignoring basic principles of security Kaminsky: DNS flaw capable of attacks on many fronts Kaminsky on DNS rebinding attacks, hacking techniques Which operating system can best secure an FTP site? IBM's Watchfire halts network research, focuses on Web apps How does identity propagation work?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary