Web Services Security Protocols Pass Muster

After some concern in the industry about its progress, the Web Services Security (WS-Security) specification was passed as an official standard by e-business standards group OASIS.

OASIS Wednesday also announced the commencement of work on service-oriented architectures based on ebXML and Web services.

Forged by Microsoft, IBM and several other high-tech vendors, WS-Security describes a protocol for securing and managing the identity and integrity of Web services messages in complex networks.

Web services, which allow applications to talk
to one another, are created in order conduct major business transactions on the Web. As a result, messages preservation and archiving of their contents are crucial to the widespread adoption of Web services frameworks.

But agreement on a common standard for secure messaging among Web services working groups has been elusive thus far. Indeed, some industry experts have expressed concern that a lack of a strong
security standard in this space is holding down adoption and pilot programs.

The latest WS-Security protocol seeks to address those concerns because its many components provide a richly detailed framework for writing secure Web services applications. But vendor support is also vital to its validation and success.

According to OASIS meeting minutes, the spec had been briefly held up
because of some disagreement with regard to a technical issue from a Hitachi committee member over Universal Resource Identifiers (URI), a member of a universal set of names in registered name spaces and addresses referring to registered protocols or name spaces. The WS-Security committee passed it with the idea of resolving the URI issue later.

ZapThink Senior Analyst Jason Bloomberg said the passage is an important milestone in the development of interoperability standards. The analyst, whose firm covers XML and Web services issues, told internetnews.com the hiccup is a typical occurrence when vendors come together to hammer out a standard as important as WS-Security, and illustrates how much of a
challenge reaching consensus on such standards can be. The resulting
standards promise to be robust and widely applicable.

Meanwhile, OASIS also said plans to advance an electronic business
architecture that builds on ebXML, a standard for describing how business transactions may be conducted via the Web, and other Web services technology, such as WSDL and SOAP from the World Wide Web Consortium (W3C).

The new OASIS Electronic Business Service Oriented Architecture (ebSOA) technical committee, whose members include Adobe Systems, Commerce One and Cyclone Commerce, will use ebXML Technical Architecture v1.04 to describe a service-oriented architecture and implementation techniques that EMPLOY ebXML OASIS Standards, recently approved as ISO 15000.

For OASIS, the move to embrace SOAs, which may serve as the underpinning for Web services development, marks a departure from the organization’s previous approach of pushing ebXML alone for supporting global Web-based transactions, according to ZapThink Senior Analyst Ronald Schmelzer.

“At first, it seemed that the group was presenting a competitive alternative to Web Services with their ebXML specifications, and as a result, the specifications languished with lack of adoption,” Schmelzer told internetnews.com. “They have now taken a much more positive tack with their whole-hearted adoption of SOA as the cornerstone of their ebXML message, and with it, a much more positive stance towards inclusion with Web Services specifications.”

Karl Best, vice president of OASIS, explained his group’s turnaround.

“The adopter’s picture of a ‘complete’ set of modular services is far more expansive and addresses greater functionalities than were contemplated in the original ebXML architecture,” Best said in a public statement.

Duane Nickull of Adobe Systems, convener and proposed chair of the OASIS ebSOA Technical Committee, said in the statement that a current SOA is integral to helping enterprises integrate and distribute business processes across multiple systems with reliability and security.

The OASIS ebSOA technical committee will hold its first meeting on April 29 following the OASIS Symposium on Reliable Infrastructures in New Orleans.

News Around the Web