Much Ado About Web Services Standards

Growing frustration over the length of time it’s taking to pass Web services
standards has some industry watchers wondering if Microsoft, IBM and others are moving as fast as they can.

By drawing out the process, vendors could steer customers to
proprietary offerings before standards are passed by e-business groups such
as OASIS, according to a source familiar with the process, who asked not to be named. Once
specifications are approved, the technology vendors nurtured in-house
becomes royalty-free.

Discussions are underway, independent of the main vendors, to find ways to
speed the process, especially among European customers, the source said.

In one specific example, the source, who is not affiliated with any vendor,
said members of the Web Services Interoperability organization (WS-I),
including Microsoft and IBM, have not acted quickly enough to finish
WS-Security, a spec they co-authored in 2002, along with BEA Systems, RSA Security, SAP,
and VeriSign.

WS-Security is a single piece of a puzzle that has since evolved into a
deeper stack, called WSS-SMS, which includes the following specs for
shoring up Web services: WS-Trust, WS-Federation, WS-Policy,
WS-SecurityPolicy and WS-SecureConversation.

But standards like WS-Security and their corresponding components are taking
too long and may not be satisfactory for such a sensitive issue as
security, the source said. “Security is a complex technical problem to solve
and no single spec that solves the various issues because Web services
transactions come from multiple points of communication and there are a
variety of ways security may be compromised,” the source said.

WS-Security coasting, thank you very much

Vendors have been quick to dismiss such opinions as conspiracy theories. The
notion that there is any ulterior motive was swatted aside by the vendors,
and to an extent, analysts. After all, OASIS, which is shepherding the
specification, is expected to ratify WS-Security at the end of the month.

A Microsoft spokesperson told said the company “is
pleased with the progress WS-Security is making with significant
implementations already in the marketplace, as well as the plans for the
WS-I to base their security profile on WS-Security.”

Karla Norsworthy, director of Dynamic e-Business Technologies at IBM, said
the 19-month window from the time parties first met regarding WS-Security
and last week’s call to vote on the standard seems appropriate given the

WS-I has already produced security scenarios document that highlights use cases, which is a foundation for the Basic Security Profile, which will appear this summer.
Rich Salz, involved with Oasis and WS-security, as well as WS-I’s Basic
Security Working Group and other security specs like SAML,
said he couldn’t speak for the major vendors, but he disagrees with the
source’s condemnation of WS-Security.

“If anything, WS-Security is well ahead of any of the other specifications
Microsoft and IBM have co-authored,” Salz, who is also Chief Security
Architect at XML Web services appliance maker DataPower, said. However, Salz
is sympathetic to that notion that there are too many specs.

Forrester Research vice president and research director Mike Gilpin chalked
up the frustration to confusion.

“I think the concerns about WS-Security are misplaced, I have no information
that would lead me to think otherwise,” Gilpin said. “Part of the problem
may be that WS-Security is really a large umbrella over a number of more
specific standards, which can be composed in a variety of ways to satisfy
different needs for varying levels of security.”

Support for WS-Security already exists in IBM WebSphere Application Server
5.0.2 and the WebSphere Studio Application tools suite. Microsoft’s .NET
platform support WS-Security for XML Web services, as does BEA and

See page 2 for a look at the broader tangle of Web Services standards

Web services standards, broadly

Salz’s sentiment reflects an industry fraught with complicated stances: he
praises the work of the group he belongs to, but criticizes the notion of
too many specs.

At a recent Web services event in New York, Steven Ross-Talbot, co-chair of
the Web Services Choreography Working Group at the World Wide Web Consortium
(W3C), said he counted 31 Web services specs currently in the works, many of
which overlap.

On the one hand, Web services is such a complex issue with many components
that beg to be broken down into separate rules for each. On the other, too
many companies may be conjuring their own specs en route to submitting them
to OASIS or W3C.

Ronald Schmelzer, senior analyst with XML and Web services research firm,
understands the frustration.

“The problem is that there’s really no way to speed this up this process,”
Schmelzer said. “Different companies are bringing different technologies,
biases, and perspectives on security. It’s any wonder at all that companies
like Sun, IBM, and Microsoft can come to the table when they disagree on
such basic things as federated identity, security profile descriptions, and
tokens for identity.”

For this, one only has to return to the Web services security hullabaloo.
For example, the Liberty Alliance’s Liberty Web Services Framework proposes
another way to do secure Web services. As with other Liberty specifications,
it is directed at a well defined set of scenarios versus the IBM/MSFT way
of specifying a “toolbox” of secure Web services standards, according to
Randy Heffner, vice president at Forrester.

Here Heffner paints a delicate picture. He noted that although the Liberty
WSF will use WS-Security, it will say nothing about using the rest of the
IBM/MSFT WS-Security specifications until IBM/MSFT get them out the door —
and WS-Federation (another spec led by Microsoft and IBM) has some clear
conflicts with the Liberty architecture. Heffner said IBM has been charged
with getting more of its security stack into a standards body this year.

As if WS-Security and Liberty WSF aren’t enough, OASIS has its own Security
Assertion Markup Language (SAML) for single-sign on services,
which rivals characteristics put forth in Liberty’s work.

“As far as there being yet another secure Web services standard to be
proposed — I’ve not heard of anything and I would be surprised if
something were to come out,” Heffner said. “I expect that Liberty will
continue developing its capabilities, and a delay by IBM/MSFT would increase
the divergence between the two camps.”

Sun Microsystems has railed against the companies for
creating what they call duplicative standards. Case in point: a month after
Sun, Oracle others published a specification for WS-Reliabilityin 2003,
Microsoft, IBM and others introduced
one for WS-ReliableMessaging. At the end of the day, the specs are similar
enough to be described as competitive.

Following a recent conversation at a press event in New York, it’s clear
Sun’s attitude toward IBM, Microsoft and the Web services space hasn’t
changed. Joe Keller, vice president of Java Web Services and Tools Marketing
for Sun, said that beyond just the concern about jousting security specs,
the industry remains too fragmented. Keller said he would like to see more
open discourse within standards bodies OASIS and W3C.

But IBM’s Norsworthy said IBM, Microsoft and others write separate specs
precisely so users are not roped into an entire stack. “We believe that an
important characteristic of Web services specs is to make sure they are
loosely coupled. So, we make them small enough on individually so users
don’t have to deal with huge stacks. For example, some may choose to do
transactions, but not security. We don’t want to force them to do both.”

With so many specs roaming the Web services countryside, it’s no secret that
folks are disgruntled, frustrated and in some cases, concerned.

Forrester’s Heffner understands the frustration over what the source sees as
a case of Microsoft and IBM appearing to “toy with the market” all the
while assuring that they are not doing their own proprietary technology. “It
is getting annoying,” Heffner said. “I don’t fault anyone for pushing them

News Around the Web