Much Ado About Web Services Standards
Share this Article
Digg
Del.icio.us
Newsvine
Facebook
Google
LinkedIn
MySpace
Reddit
Slashdot
StumbleUpon
Technorati
Twitter
Windows Live
YahooBuzz
FriendFeed
Growing frustration over the length of time it's taking to pass Web services
standards has some industry watchers wondering if Microsoft,
By drawing out the process, vendors could steer customers to
proprietary offerings before standards are passed by e-business groups such
as OASIS, according to a source familiar with the process, who asked not to be named. Once
specifications are approved, the technology vendors nurtured in-house
becomes royalty-free.
Discussions are underway, independent of the main vendors, to find ways to
speed the process, especially among European customers, the source said.
In one specific example, the source, who is not affiliated with any vendor,
said members of the Web Services Interoperability organization (WS-I),
including Microsoft and IBM, have not acted quickly enough to finish
WS-Security, a spec they co-authored in 2002, along with BEA Systems,
WS-Security is a single piece of a puzzle that has since evolved into a
deeper stack, called WSS-SMS, which includes the following specs for
shoring up Web services: WS-Trust, WS-Federation, WS-Policy,
WS-SecurityPolicy and WS-SecureConversation.
But standards like WS-Security and their corresponding components are taking
too long and may not be satisfactory for such a sensitive issue as
security, the source said. "Security is a complex technical problem to solve
and no single spec that solves the various issues because Web services
transactions come from multiple points of communication and there are a
variety of ways security may be compromised," the source said.
WS-Security coasting, thank you very much
Vendors have been quick to dismiss such opinions as conspiracy theories. The
notion that there is any ulterior motive was swatted aside by the vendors,
and to an extent, analysts. After all, OASIS, which is shepherding the
specification, is expected to ratify WS-Security at the end of the month.
A Microsoft spokesperson told internetnews.com said the company "is
pleased with the progress WS-Security is making with significant
implementations already in the marketplace, as well as the plans for the
WS-I to base their security profile on WS-Security."
Karla Norsworthy, director of Dynamic e-Business Technologies at IBM, said
the 19-month window from the time parties first met regarding WS-Security
and last week's call to vote on the standard seems appropriate given the
stakes.
WS-I has already produced security scenarios document that highlights use cases, which is a foundation for the Basic Security Profile, which will appear this summer.
Rich Salz, involved with Oasis and WS-security, as well as WS-I's Basic
Security Working Group and other security specs like SAML,
"If anything, WS-Security is well ahead of any of the other specifications
Microsoft and IBM have co-authored," Salz, who is also Chief Security
Architect at XML Web services appliance maker DataPower, said. However, Salz
is sympathetic to that notion that there are too many specs.
Forrester Research vice president and research director Mike Gilpin chalked
up the frustration to confusion.
"I think the concerns about WS-Security are misplaced, I have no information
that would lead me to think otherwise," Gilpin said. "Part of the problem
may be that WS-Security is really a large umbrella over a number of more
specific standards, which can be composed in a variety of ways to satisfy
different needs for varying levels of security."
Support for WS-Security already exists in IBM WebSphere Application Server
5.0.2 and the WebSphere Studio Application tools suite. Microsoft's .NET
platform support WS-Security for XML Web services, as does BEA and
webMethods.
See page 2 for a look at the broader tangle of Web Services standards IBM
and others are moving as fast as they can.
RSA Security, SAP,
and VeriSign.
