RealTime IT News

Much Ado About Web Services Standards

Growing frustration over the length of time it's taking to pass Web services standards has some industry watchers wondering if Microsoft, IBM and others are moving as fast as they can.

By drawing out the process, vendors could steer customers to proprietary offerings before standards are passed by e-business groups such as OASIS, according to a source familiar with the process, who asked not to be named. Once specifications are approved, the technology vendors nurtured in-house becomes royalty-free.

Discussions are underway, independent of the main vendors, to find ways to speed the process, especially among European customers, the source said.

In one specific example, the source, who is not affiliated with any vendor, said members of the Web Services Interoperability organization (WS-I), including Microsoft and IBM, have not acted quickly enough to finish WS-Security, a spec they co-authored in 2002, along with BEA Systems, RSA Security, SAP, and VeriSign.

WS-Security is a single piece of a puzzle that has since evolved into a deeper stack, called WSS-SMS, which includes the following specs for shoring up Web services: WS-Trust, WS-Federation, WS-Policy, WS-SecurityPolicy and WS-SecureConversation.

But standards like WS-Security and their corresponding components are taking too long and may not be satisfactory for such a sensitive issue as security, the source said. "Security is a complex technical problem to solve and no single spec that solves the various issues because Web services transactions come from multiple points of communication and there are a variety of ways security may be compromised," the source said.

WS-Security coasting, thank you very much

Vendors have been quick to dismiss such opinions as conspiracy theories. The notion that there is any ulterior motive was swatted aside by the vendors, and to an extent, analysts. After all, OASIS, which is shepherding the specification, is expected to ratify WS-Security at the end of the month.

A Microsoft spokesperson told internetnews.com said the company "is pleased with the progress WS-Security is making with significant implementations already in the marketplace, as well as the plans for the WS-I to base their security profile on WS-Security."

Karla Norsworthy, director of Dynamic e-Business Technologies at IBM, said the 19-month window from the time parties first met regarding WS-Security and last week's call to vote on the standard seems appropriate given the stakes.

WS-I has already produced security scenarios document that highlights use cases, which is a foundation for the Basic Security Profile, which will appear this summer. Rich Salz, involved with Oasis and WS-security, as well as WS-I's Basic Security Working Group and other security specs like SAML, said he couldn't speak for the major vendors, but he disagrees with the source's condemnation of WS-Security.

"If anything, WS-Security is well ahead of any of the other specifications Microsoft and IBM have co-authored," Salz, who is also Chief Security Architect at XML Web services appliance maker DataPower, said. However, Salz is sympathetic to that notion that there are too many specs.

Forrester Research vice president and research director Mike Gilpin chalked up the frustration to confusion.

"I think the concerns about WS-Security are misplaced, I have no information that would lead me to think otherwise," Gilpin said. "Part of the problem may be that WS-Security is really a large umbrella over a number of more specific standards, which can be composed in a variety of ways to satisfy different needs for varying levels of security."

Support for WS-Security already exists in IBM WebSphere Application Server 5.0.2 and the WebSphere Studio Application tools suite. Microsoft's .NET platform support WS-Security for XML Web services, as does BEA and webMethods.

See page 2 for a look at the broader tangle of Web Services standards