RealTime IT News

Vendors Forge Web Services Security Group

UPDATED: Purveyors of Web services are so concerned with security that they have formed a technical committee to improve the work of the WS-Security standard created by OASIS.

Microsoft, IBM, BEA Systems and other top software makers will lead Web Services Secure Exchange (WS-SX), a group to improve the way users safely exchange SOAP messages for Web services transactions. WS-SX will also define security policies for those messages.

WS-SX is meant to build upon specs for WS-SecurityPolicy (WS-SP), WS-Trust and WS-SecureConversation (WS-SC).

WS-Trust describes a framework for managing trust relationships between parties exchanging information. WS-SecureConversation provides a secure context for groups to exchange multiple messages without re-authenticating. WS-SecurityPolicy defines general security policies for services.

Ari Bixhorn, director of Web services strategy for Microsoft, said WS-SX has been in the plans as an add-on to WS-Security since day one.

"We had to lay the foundation with WS-Security first and then add this additional functionality on top of it," Bixhorn said in an interview.

While WS-Security provides a baseline for secure Web services communication, WS-Trust, WS-SP, WS-SC and now WS-SX provide long-running, secure Web services conversations. They also allow for Web services to expose their security requirements in a way that other Web services can understand.

"If I build a Web service, I want other people to communicate with it," Bixhorn said. "So I need to be able to express what my security requirements for that Web service would be, such as the token type required and protocol requirements.

"Once I've established secure communication between Web services, SecureConversation allows me to continue a long-running Web service communication in a secure fashion."

The WS-SX group will first convene in December under the auspices of OASIS.

Web services development continues to chug along, with major, medium-sized and small companies all clamoring for pieces of the multi-billion-dollar Web services and service-oriented architecture (SOA) pie.

Security was long considered one of the stumbling blocks for the proliferation and facilitation of Web services.

One of the concerns going back four years or so was that Microsoft, IBM and other competitors in the software space would not be able to put aside their differences to improve Web services security, interoperability and management.

But Microsoft and IBM have never been closer, working on various aspects of WS-Security and other core tenets in the WS-* canon fathered by OASIS.