IBM, Microsoft Publish Web Services Specs

Microsoft and IBM publish their previously outlined Web services specifications for conducting e-business.
Posted December 18, 2002

Clint Boulton

Some fruits of the Web services lovefest between Microsoft and IBM were unveiled Wednesday as the firms published previously promised Web services specifications to help businesses share information securely.

In conjunction with BEA Systems, RSA Security, SAP AG, and VeriSign, Microsoft and IBM said the publication of technical security specs and business policies represent the next step in bringing a detailed Web services model to the table.

The technical security specs, as outlined in the IBM and Microsoft co-authored "Security in a Web Services World," include: WS-Trust, which describes a framework for setting up trust relationships to make secure, interoperable Web services; WS-SecureConversation, which details a framework to establish a secure context for parties that want to exchange multiple messages; and WS-SecurityPolicy, which describes general security policies that can be associated with a service. These have all been written by IBM, Microsoft, RSA Security and VeriSign.

The second group, which consist of Web services business policies, includes: WS-Policy, which outlines a way for senders and receivers of Web services to communicate requirements and capabilities to find vital information; WS-PolicyAttachments, which provides a standard mechanism for attaching the requirement and capability statements to the Web service; and WS-PolicyAssertions, which describes policies that can be affiliated with a service. These have been authored by BEA, IBM, Microsoft and SAP.

ZapThink Senior Analyst Jason Bloomberg said there are no new tools, as these are initial versions of the specs for customers to offer feedback. Nor have the specs found a home in a standards body yet, although Bloomberg said OASIS remains the favorite.

However, Bloomberg noted that some of the details overlap with some of the aspects of the work done by the Liberty Alliance. He said that may be a sign that the Web Services Interoperability organization (WS-I) -- the umbrella organization under which Microsoft, IBM, and the others are developing their specifications -- may not be working with Liberty, despite the thaw in relations since Sun Microsystems -- which spearheaded Liberty's formation -- agreed to join WS-I.

"These specs overlap some of the work that the Liberty Alliance has been doing, which raised a red flag for me. SAP, VeriSign, and RSA are sponsors of the specs announced today as well as members of Liberty, so you'd think the two efforts would be working closely together, but apparently not," Bloomberg told "The WS-Security party line is that they hope Liberty will support these specs, and they're anxious to get feedback from Liberty. The Liberty Alliance may be waiting to see what the WS-Security group will come up with before moving forward with version 2 of their specs. So there may be some political hemming and hawing about the overlap between these new specs and Liberty's specs, but I'm sure it will all be worked out."

Liberty Alliance did not respond to requests seeking comment.

ZapThink sees security for Web services as a sticky issue until sufficent standards are meted out, but it could also pave the way for serious cash opportunities in the IT sector. The XML and Web services consultant expects the market for Web services security will hit $4.4 Billion by 2006.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.