EDGE 2015 is starting in

Find out more EDGE 2015
IBM, Microsoft develop Web services security protocol

IBM, Microsoft develop Web services security protocol

IBM and Microsoft are set to turn over to a standards body a key set of Web services security specifications they have been developing for establishing trust and exchanging data between partners.

In September, the pair will submit WS-Trust, WS-SecureConversation and WS-SecurityPolicy to the Organization for the Advancement of Structured Information Standards (OASIS), which will create a technical committee to develop the specifications into a standard. The two made the official announcement Thursday at the annual Burton Group Catalyst conference.

The most significant specification of the trio is WS-Trust, which establishes a single path for moving between partners security information and security tokens of all kinds, including Kerberos, X.509, the Security Assertion Markup Language (SAML) and any others.

"This is major progress for interoperability," says Jamie Lewis, president of the Burton Group. "WS-Trust is a general-purpose token exchange protocol and a significant piece of the puzzle for an interoperable infrastructure to exchange security information of all kinds."

Lewis says WS-Trust can be used to exchange authentication and federation assertions and could be used in provisioning systems.

WS-Trust also is an important element in Microsoft's model of a standards-based distributed identity infrastructure it calls the Identity Metasystem, which it introduced in May. WS-Trust also is the cornerstone for InfoCard, an interface into user identity information Microsoft is building into its Longhorn operating system.

The specifications are part of the set of protocols that fall under the WS-Security or so-called WS-* (pronounced "WS-Star") family of protocols that Microsoft and IBM began developing in 2002. Slowly the protocols have been transferred to standards bodies, including OASIS and the W3C.

Two significant protocols still remain to be turned over, WS-Federation and WS-Policy.

Microsoft and IBM say that will happen but have yet to provide a timetable. The two have been under significant pressure from end users and industry experts to submit the remaining specifications to help quicken the pace of standardizing the infrastructure for securing Web services.

WS-Policy appears to be the next protocol that will be submitted. Last October, IBM and Microsoft presented a workshop on WS-Policy to the W3C. The prime motivating factor, however, is that Microsoft relies on WS-Policy for its InfoCard technology.

And while Microsoft is preaching that InfoCard, which is approaching its first beta release this fall, will be a standards-based system, WS-Policy remains the only significant protocol that is not in a standards body.

"WS-Policy will be in a standards organization by the end of the year," says Anne Thomas Manes, research director for the Burton Group. Microsoft officials would not comment on plans for WS-Policy.

In the meantime, the three specs that are headed for standardization will help round out the Web services security infrastructure.

"The specifications are well written and I don't see much work that needs to be done," says Tony Nadalin, the co-author of WS-Trust and IBM's chief security architect. He says, however, the OASIS standardization process likely means the three specifications won't be finalized as standards for 18 months.

While WS-Trust supports the requesting and issuing of security tokens to establish trust between or among partners, WS-SecureConversation provides extensions to WS-Trust and WS-Security that secure communication across multiple Web services messages. WS-SecurityPolicy works in conjunction with WS-Policy and defines general security policy assertions that apply to other WS-Security protocols such as Simple Object Access Protocol messages, WS-Trust and WS-SecureConversation.

IBM and Microsoft co-authored WS-SecurityPolicy along with RSA Security and VeriSign. WS-Trust and WS-SecureConversation include co-authors Actional, BEA Systems, Computer Associates, Layer 7 Technology, OpenNetwork Technologies/BMC, Oracle, Ping Identity, Reactivity, RSA Security and VeriSign.

EDGE 2015:: For all the latest on EDGE 2015 including the keynote speakers visit the EDGE mini-site now

Follow Us

Join the ARN newsletter!

Error: Please check your email address.



In Pictures: 7 things we hate about Twitter

In Pictures: 7 things we hate about Twitter

You probably either love Twitter for its quirkiness and brevity or see it as a pointless waste of time. After nearly a decade on the social scene, Twitter still needs to improve its user experience and fill in notable gaps in the service. These seven problems are long overdue for a fix.

In Pictures: 7 things we hate about Twitter
IN PICTURES: EDGE 2015 - Sponsor Briefing

IN PICTURES: EDGE 2015 - Sponsor Briefing

With EDGE 2015 rapidly approaching, ARN and Reseller News NZ held a Sponsors Briefing where ARN publisher and president, Susan Searle, and Events Manager, Alexandra West, ran through the considerable logistics in detail. Attendees then enjoyed some splendid canapes and drinks. EDGE is designed to bring the A/NZ channel together in a collaborative and educational environment. Themed around channel channel leadership, EDGE will be held at the Sheraton Mirage, Port Douglas, July 20-23. Photos by MIKE GEE.

IN PICTURES: EDGE 2015 - Sponsor Briefing
In Pictures: Robots that cook, clean, sing and dance

In Pictures: Robots that cook, clean, sing and dance

Cooking, learning language and doing the laundry are a few of the human skills demonstrated by.real humanoid bots featured in the National Geographic movie Robots.

In Pictures: Robots that cook, clean, sing and dance

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments