RealTime IT News

WS-I Clears Basic Security Hurdle

Web services security, a bugbear in the adoption of distributed computing architectures, is one step closer to being finalized.

The Web Services Interoperability Organization (WS-I) said it has finished its Basic Security Profile Working Group Draft and is making it available in order to solicit feedback from the Web services community.

The Basic Security Profile addresses transport security, SOAP messaging security and other security considerations for the Basic Profile 1.0, as well as the Basic Profile 1.1, Simple SOAP Binding Profile 1.0 and Attachments Profile 1.0.

The Basic Security Profile addresses the interoperability characteristics of two main technologies: HTTP over Transport Layer Security and Web Services Security: SOAP Message Security. HTTP over TLS is a point-to-point technology that protects the confidentiality of all information that flows over an HTTP connection.

SOAP Message Security safeguards SOAP messages and works when a message passes through several intermediary waypoints, allowing differing levels of protection for selected portions of a message, a key characteristic in Web services, where several applications communicate with one another and exchange information and conduct transactions. The Basic Security Profile describes a way to apply SOAP Message Security to attachments.

The group, whose members include IBM, Sun Microsystems and Microsoft, issued the draft at the Gartner Application Integration and Web Services Summit in Los Angeles Tuesday. The WS-I used a similar formula for the Basic Profile for Web services, which was completed last August and announced at the Web Services One conference in Boston.

Looking forward, the security profile group will incorporate the Kerberos Token Profile into the Basic Security Profile upon completion of the technical work by the OASIS Web Services Security technical committee. WS-I is currently considering adding other token profiles such as the SAML Token Profile and XRML Token Profile, into the Basic Security Profile.

Naturally, the Basic Security Profile is expected to synch with other WS-I profiles and work with some existing specifications used to provide security, including the OASIS Web Services Security 1.0 specification, which passed muster last month.

When the document is cleaned up and finalized, possibly later this year, it is expected to usher in a raft of new customers to Web services, and by extension service-oriented architectures (SOA) . After all, security is considered one of the key barriers to greater adoption in the space.