WS-Policy has been submitted to the World Wide Web Consortium (W3C) for formal approval as a standard after its developers filled a hole in the spec that made companies reluctant to write to it.
The move should open the floodgates for Web services security specifications that have been held up by the omission.
WS-Policy was introduced in 2002 by IBM, Microsoft, BEA Systems and others as a means for Web service These requirements include security constraints, protocol support and message encoding information. A number of specs are dependent on WS-Policy, including WS-Trust, WS-SecureConversation, WS-ReliableMessaging and WS-Transactions, all of which have been submitted to standards bodies for official approval. For example, WS-Policy allows users to express policy assertions through assertion languages like WS-SecurityPolicy and WS-ReliableMessaging. It’s possible to mix and match the policies. But WS-Policy was not approved by the W3C because it lacked a definition for how to execute “nested policies.” This omission caused a delay in standards development because no one wanted to write for a spec still in flux. Nested policies enables a policy to have one or more policy within it. A clear definition of how to do nested policies had to be added to WS-Policy, which was thought to be ready for submission to the W3C last year. The delay, while annoying, was worth it, according to Anne Thomas Manes, research director with The Burton Group. “I’m annoyed it took so long to come up with this final revision, but it was worth the wait,” Manes said. “This was the biggest hole in the Web services framework. You need policy to have interoperability configuration and discoverable enforcement.” Manes said the delay was “absolutely” holding up development. Only around a dozen companies have built applications with support for WS-Policy, but the rest were not willing to work with an unfinished standard until it moved into a standards body.
