WS-I Clears Basic Security Hurdle

Web services security, a bugbear in the adoption of distributed computing architectures, is one step
closer to being finalized.

The Web Services Interoperability Organization (WS-I) said it has finished its Basic Security Profile Working Group Draft and is making it available in order to solicit feedback from the Web services community.

The Basic Security Profile addresses transport security, SOAP

messaging security and other security considerations for the Basic
Profile 1.0, as well as the Basic Profile 1.1, Simple SOAP Binding Profile 1.0 and Attachments Profile 1.0.

The Basic Security Profile addresses the interoperability
characteristics of two main technologies: HTTP over Transport Layer Security and Web Services
Security: SOAP Message Security. HTTP over TLS is a point-to-point
technology that protects the confidentiality of all information that
flows over an HTTP connection.

SOAP Message Security safeguards SOAP messages and works when a message
passes through several intermediary waypoints, allowing differing
levels of
protection for selected portions of a message, a key characteristic in
Web
services, where several applications communicate with one another and
exchange information and conduct transactions. The Basic Security
Profile
describes a way to apply SOAP Message Security to attachments.

The group, whose members include IBM, Sun Microsystems and Microsoft,
issued
the draft at the Gartner Application Integration and Web Services
Summit in
Los Angeles Tuesday. The WS-I used a similar formula for the Basic
Profile
for Web services, which was completed last August and announced at the Web Services One conference in Boston.

Looking forward, the security profile group will incorporate the
Kerberos
Token Profile into the Basic Security Profile upon completion of the
technical work by the OASIS Web Services Security technical committee.
WS-I
is currently considering adding other token profiles such as the SAML
Token
Profile and XRML Token Profile, into the Basic Security Profile.

Naturally, the Basic Security Profile is expected to synch with other
WS-I
profiles and work with some existing specifications used to
provide
security, including the OASIS Web Services Security 1.0 specification,
which
passed
muster last month.

When the document is cleaned up and finalized, possibly later this
year, it
is expected to usher in a raft of new customers to Web services, and by
extension service-oriented architectures (SOA) . After all,
security is considered one
of
the key barriers to greater adoption in the space.