Menu
IBM, Microsoft develop Web services security protocol

IBM, Microsoft develop Web services security protocol

IBM and Microsoft are set to turn over to a standards body a key set of Web services security specifications they have been developing for establishing trust and exchanging data between partners.

In September, the pair will submit WS-Trust, WS-SecureConversation and WS-SecurityPolicy to the Organization for the Advancement of Structured Information Standards (OASIS), which will create a technical committee to develop the specifications into a standard. The two made the official announcement Thursday at the annual Burton Group Catalyst conference.

The most significant specification of the trio is WS-Trust, which establishes a single path for moving between partners security information and security tokens of all kinds, including Kerberos, X.509, the Security Assertion Markup Language (SAML) and any others.

"This is major progress for interoperability," says Jamie Lewis, president of the Burton Group. "WS-Trust is a general-purpose token exchange protocol and a significant piece of the puzzle for an interoperable infrastructure to exchange security information of all kinds."

Lewis says WS-Trust can be used to exchange authentication and federation assertions and could be used in provisioning systems.

WS-Trust also is an important element in Microsoft's model of a standards-based distributed identity infrastructure it calls the Identity Metasystem, which it introduced in May. WS-Trust also is the cornerstone for InfoCard, an interface into user identity information Microsoft is building into its Longhorn operating system.

The specifications are part of the set of protocols that fall under the WS-Security or so-called WS-* (pronounced "WS-Star") family of protocols that Microsoft and IBM began developing in 2002. Slowly the protocols have been transferred to standards bodies, including OASIS and the W3C.

Two significant protocols still remain to be turned over, WS-Federation and WS-Policy.

Microsoft and IBM say that will happen but have yet to provide a timetable. The two have been under significant pressure from end users and industry experts to submit the remaining specifications to help quicken the pace of standardizing the infrastructure for securing Web services.

WS-Policy appears to be the next protocol that will be submitted. Last October, IBM and Microsoft presented a workshop on WS-Policy to the W3C. The prime motivating factor, however, is that Microsoft relies on WS-Policy for its InfoCard technology.

And while Microsoft is preaching that InfoCard, which is approaching its first beta release this fall, will be a standards-based system, WS-Policy remains the only significant protocol that is not in a standards body.

"WS-Policy will be in a standards organization by the end of the year," says Anne Thomas Manes, research director for the Burton Group. Microsoft officials would not comment on plans for WS-Policy.

In the meantime, the three specs that are headed for standardization will help round out the Web services security infrastructure.

"The specifications are well written and I don't see much work that needs to be done," says Tony Nadalin, the co-author of WS-Trust and IBM's chief security architect. He says, however, the OASIS standardization process likely means the three specifications won't be finalized as standards for 18 months.

While WS-Trust supports the requesting and issuing of security tokens to establish trust between or among partners, WS-SecureConversation provides extensions to WS-Trust and WS-Security that secure communication across multiple Web services messages. WS-SecurityPolicy works in conjunction with WS-Policy and defines general security policy assertions that apply to other WS-Security protocols such as Simple Object Access Protocol messages, WS-Trust and WS-SecureConversation.

IBM and Microsoft co-authored WS-SecurityPolicy along with RSA Security and VeriSign. WS-Trust and WS-SecureConversation include co-authors Actional, BEA Systems, Computer Associates, Layer 7 Technology, OpenNetwork Technologies/BMC, Oracle, Ping Identity, Reactivity, RSA Security and VeriSign.

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Upcoming

Slideshows

IN PICTURES: Nutanix's .NEXT channel event in Sydney (+20 photos)

IN PICTURES: Nutanix's .NEXT channel event in Sydney (+20 photos)

Nutanix recently held its customer and channel event, .NEXT, in Sydney. The event, held at the Sheraton on the Park saw attendance from more than 150 channel and technology partners and customers. It was the first in a series of events Nutanix is holding in A/NZ in August and September, the objective of which is to brief partners and customers on “what’s next” in the design and management of datacentre technology.

IN PICTURES: Nutanix's .NEXT channel event in Sydney (+20 photos)
IN PICTURES: EDGE 2015 sponsor debrief (+23 photos)

IN PICTURES: EDGE 2015 sponsor debrief (+23 photos)

Some of the sponsors of ARN's inaugural EDGE 2015 event got together at the ARN office for a debrieef of the event. Over some drinks and cheese, these attendees got an update on some key statistics that arose from the EDGE event and discussed potential topics and improvements that can be made at next year's event.

IN PICTURES: EDGE 2015 sponsor debrief (+23 photos)
IN PICTURES: ARN Distributor Roundtable, Sydney, 26.08.15 (+26 photos)

IN PICTURES: ARN Distributor Roundtable, Sydney, 26.08.15 (+26 photos)

ARN hosted a distributor roundtable at Cafe Del Mar in Sydney, at which attendees and their partners discussed the changing role of the traditional IT distributor. They spoke about the challenges of digital disruption, the blurring lines of the channel in the age of digital transformation, and examined the ever-evolving business models. This roundtable was sponsored by Distribution Central, Exclusive Networks, Rhipe, and Hemisphere Technologies. Photos by ARN Editorial Director, Mike Gee.

IN PICTURES: ARN Distributor Roundtable, Sydney, 26.08.15 (+26 photos)

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments