Some fruits of the Web services lovefest between Microsoft
were unveiled Wednesday
as the firms published previously promised Web services specifications to
help businesses share information securely.
In conjunction with BEA Systems, RSA Security, SAP AG, and VeriSign,
Microsoft and IBM said the publication of technical security specs and
business policies represent the next step in bringing a detailed Web
services model to the table.
The technical security specs, as outlined in the IBM and Microsoft co-authored
“Security in a Web Services World,” include: WS-Trust, which describes a
framework for setting up trust relationships to make secure, interoperable
Web services; WS-SecureConversation, which details a framework to establish
a secure context for parties that want to exchange multiple messages; and
WS-SecurityPolicy, which describes general security policies that can be
associated with a service. These have all been written by IBM, Microsoft,
RSA Security and VeriSign.
The second group, which consist of Web services business policies, includes:
WS-Policy, which outlines a way for senders and receivers of Web services to
communicate requirements and capabilities to find vital information;
WS-PolicyAttachments, which provides a standard mechanism for attaching the
requirement and capability statements to the Web service; and
WS-PolicyAssertions, which describes policies that can be affiliated with a
service. These have been authored by BEA, IBM, Microsoft and SAP.
ZapThink Senior Analyst Jason
Bloomberg said there are no new tools, as these are initial versions of the
specs for customers to offer feedback. Nor have the specs found a home in a
standards body yet, although Bloomberg said OASIS remains the favorite.
noted that some of the details overlap with some of the aspects of the work done
by the Liberty Alliance. He said that may be a sign that the Web Services Interoperability organization (WS-I) — the umbrella organization under which Microsoft, IBM, and the others are developing their specifications — may not be working with Liberty, despite the thaw in relations since Sun Microsystems
— which spearheaded Liberty’s formation — agreed to join WS-I.
“These specs overlap some of the work that the Liberty Alliance has been
doing, which raised a red flag for me. SAP, VeriSign, and RSA are sponsors
of the specs announced today as well as members of Liberty, so you’d think
the two efforts would be working closely together, but apparently not,”
Bloomberg told internetnews.com. “The WS-Security party line is that
they hope Liberty will support these specs, and they’re anxious to get
feedback from Liberty. The Liberty Alliance may be waiting to see what the
WS-Security group will come up with before moving forward with version 2 of
specs. So there may be some political hemming and hawing about the overlap
between these new specs and Liberty’s specs, but I’m sure it will all be
Liberty Alliance did not respond to requests seeking comment.
ZapThink sees security for Web services as a sticky issue until sufficent standards are meted out, but it could also pave the way for serious cash opportunities in the IT sector. The XML and Web services consultant expects the market for Web services security will hit $4.4 Billion by 2006.