IBM, Microsoft develop Web services security protocol

IBM and Microsoft are set to turn over to a standards body a key set of Web services security specifications they have been developing for establishing trust and exchanging data between partners.

In September, the pair will submit WS-Trust, WS-SecureConversation and WS-SecurityPolicy to the Organization for the Advancement of Structured Information Standards (OASIS), which will create a technical committee to develop the specifications into a standard. The two made the official announcement Thursday at the annual Burton Group Catalyst conference.

The most significant specification of the trio is WS-Trust, which establishes a single path for moving between partners security information and security tokens of all kinds, including Kerberos, X.509, the Security Assertion Markup Language (SAML) and any others.

"This is major progress for interoperability," says Jamie Lewis, president of the Burton Group. "WS-Trust is a general-purpose token exchange protocol and a significant piece of the puzzle for an interoperable infrastructure to exchange security information of all kinds."

Lewis says WS-Trust can be used to exchange authentication and federation assertions and could be used in provisioning systems.

WS-Trust also is an important element in Microsoft's model of a standards-based distributed identity infrastructure it calls the Identity Metasystem, which it introduced in May. WS-Trust also is the cornerstone for InfoCard, an interface into user identity information Microsoft is building into its Longhorn operating system.

The specifications are part of the set of protocols that fall under the WS-Security or so-called WS-* (pronounced "WS-Star") family of protocols that Microsoft and IBM began developing in 2002. Slowly the protocols have been transferred to standards bodies, including OASIS and the W3C.

Two significant protocols still remain to be turned over, WS-Federation and WS-Policy.

Microsoft and IBM say that will happen but have yet to provide a timetable. The two have been under significant pressure from end users and industry experts to submit the remaining specifications to help quicken the pace of standardizing the infrastructure for securing Web services.

WS-Policy appears to be the next protocol that will be submitted. Last October, IBM and Microsoft presented a workshop on WS-Policy to the W3C. The prime motivating factor, however, is that Microsoft relies on WS-Policy for its InfoCard technology.

And while Microsoft is preaching that InfoCard, which is approaching its first beta release this fall, will be a standards-based system, WS-Policy remains the only significant protocol that is not in a standards body.

"WS-Policy will be in a standards organization by the end of the year," says Anne Thomas Manes, research director for the Burton Group. Microsoft officials would not comment on plans for WS-Policy.

In the meantime, the three specs that are headed for standardization will help round out the Web services security infrastructure.

"The specifications are well written and I don't see much work that needs to be done," says Tony Nadalin, the co-author of WS-Trust and IBM's chief security architect. He says, however, the OASIS standardization process likely means the three specifications won't be finalized as standards for 18 months.

While WS-Trust supports the requesting and issuing of security tokens to establish trust between or among partners, WS-SecureConversation provides extensions to WS-Trust and WS-Security that secure communication across multiple Web services messages. WS-SecurityPolicy works in conjunction with WS-Policy and defines general security policy assertions that apply to other WS-Security protocols such as Simple Object Access Protocol messages, WS-Trust and WS-SecureConversation.

IBM and Microsoft co-authored WS-SecurityPolicy along with RSA Security and VeriSign. WS-Trust and WS-SecureConversation include co-authors Actional, BEA Systems, Computer Associates, Layer 7 Technology, OpenNetwork Technologies/BMC, Oracle, Ping Identity, Reactivity, RSA Security and VeriSign.

2015 State of The IT Channel Survey : IT'S TIME!!! Fill in this year's State of the IT Channel Survey and be in the running to win great prizes. CLICK HERE

Join the ARN newsletter!

Error: Please check your email address.

More about ActionalBEABEA SystemsBMC Software AustraliaBurton GroupCA TechnologiesCornerstoneIBM AustraliaMicrosoftOpenNetworkOpenNetwork TechnologiesOracleOrganization for the Advancement of Structured Information StandardsQuickenRSARSA, The Security Division of EMCVeriSign AustraliaW3C

ARN Directory | Distributors relevant to this article

ARN Directory | Vendors relevant to this article

 

Latest News

Feb 27
Bulletproof revenues up 46 per cent, AWS plays significant role
Feb 27
NEXTDC wins worldwide award for design excellence
Feb 27
Multimedia-savvy HTC phablet launches in Australia, from $499
Feb 27
The changing face of the datacentre
More News
04 Mar
2015 International Women's Day Melbourne Luncheon
25 Mar
2015 International Women's Day Sydney Luncheon
26 Mar
Navigating the Internet of Things Summit
26 Mar
Navigating the Internet of Things Summit
View all events