WS-I Forges Web Services Security Group

The Web Services Interoperability
(WS-I) Tuesday said it has completed the creation of a
working group to address perhaps the greatest barrier in wholesale Web
services adoption — security.

The WS-I put the finishing touches on the Basic Security Profile Working
Group (BSPWG), which will develop an interoperability profile that addresses
transport security, SOAP messaging security and other
security considerations from the WS-I Basic Profile published last October.

ZapThink Senior Analyst Ronald Schmelzer discussed the significance of the

“While the Basic Profile was certainly important — if only to prove that
the WS-I was capable of releasing a profile that met their overall charter
objectives, it is the Security Profile that really starts to get to the
heart of interoperability issues,” he said. “Basically, there can be no Web
Services interoperability if the different end points make different
assumptions about how security will be handled. While there are certainly
enough Web Services security standards, it is up to the end user to figure
out how to piece these standards together in a way that provides real
security. The problem that end users face is that their particular
implementation might prevent interoperability with other Web Services
implementations they must interact with.”

It is true there are a number of working groups in such standards
organizations as the World Wide Web
and OASIS that
address Web services interoperability — for security, too. But the WS-I is
what some analysts see as the true link to the enterprise. ZapThink Senior Analyst Jason Bloomberg
calls WS-I an arbiter of “real-world” Web services interoperability; the
group consists of more than 170 member companies, with such giants as
Microsoft, IBM and, as of last
Sun as integral members.

“The work of this committee is on the critical path for many enterprises
looking to move toward Service-oriented architectures,” Bloomberg told

Seeds for the BSPWG were already planted some months ago, in the form of the interim security task force, known as the Basic Security Work Plan Working Group. Eve Maler, XML standards architect at Sun Microsystems, chaired that group. ZapThink’s Schmelzer said the fact that a representative from Sun is overseeing the work underscores the progress the WS-I made in working harmoniously toward the same end. Sun was not always considered for board member status.

“That is actually a positive sign in two major ways: Sun is being very
aggressive about Web Services and interoperability (and taking their role as
Board member to heart), and they realize that Security is the primary
roadblock to widespread Web Services adoption,” Schmelzer said.

While Schmelzer’s optimism about the potential boon the group may pose for
Web services interoperability was obvious, he offered a caveat: “…failure
here will spell problems for the effectiveness of future profile releases.”

The BSPWG intends the Basic Security Profile to be an extension to the WS-I Basic Profile 1.0, and it will refer to existing specifications used to provide security, as well as provide clarifications and guidance to promote
interoperability of those specifications. The BSPWG will also develop a set
of usage scenarios and their component message exchange patterns to guide
their work. A timeline for the deliverables will be determined in the next

News Around the Web