Menu
IBM, Microsoft develop Web services security protocol

IBM, Microsoft develop Web services security protocol

IBM and Microsoft are set to turn over to a standards body a key set of Web services security specifications they have been developing for establishing trust and exchanging data between partners.

In September, the pair will submit WS-Trust, WS-SecureConversation and WS-SecurityPolicy to the Organization for the Advancement of Structured Information Standards (OASIS), which will create a technical committee to develop the specifications into a standard. The two made the official announcement Thursday at the annual Burton Group Catalyst conference.

The most significant specification of the trio is WS-Trust, which establishes a single path for moving between partners security information and security tokens of all kinds, including Kerberos, X.509, the Security Assertion Markup Language (SAML) and any others.

"This is major progress for interoperability," says Jamie Lewis, president of the Burton Group. "WS-Trust is a general-purpose token exchange protocol and a significant piece of the puzzle for an interoperable infrastructure to exchange security information of all kinds."

Lewis says WS-Trust can be used to exchange authentication and federation assertions and could be used in provisioning systems.

WS-Trust also is an important element in Microsoft's model of a standards-based distributed identity infrastructure it calls the Identity Metasystem, which it introduced in May. WS-Trust also is the cornerstone for InfoCard, an interface into user identity information Microsoft is building into its Longhorn operating system.

The specifications are part of the set of protocols that fall under the WS-Security or so-called WS-* (pronounced "WS-Star") family of protocols that Microsoft and IBM began developing in 2002. Slowly the protocols have been transferred to standards bodies, including OASIS and the W3C.

Two significant protocols still remain to be turned over, WS-Federation and WS-Policy.

Microsoft and IBM say that will happen but have yet to provide a timetable. The two have been under significant pressure from end users and industry experts to submit the remaining specifications to help quicken the pace of standardizing the infrastructure for securing Web services.

WS-Policy appears to be the next protocol that will be submitted. Last October, IBM and Microsoft presented a workshop on WS-Policy to the W3C. The prime motivating factor, however, is that Microsoft relies on WS-Policy for its InfoCard technology.

And while Microsoft is preaching that InfoCard, which is approaching its first beta release this fall, will be a standards-based system, WS-Policy remains the only significant protocol that is not in a standards body.

"WS-Policy will be in a standards organization by the end of the year," says Anne Thomas Manes, research director for the Burton Group. Microsoft officials would not comment on plans for WS-Policy.

In the meantime, the three specs that are headed for standardization will help round out the Web services security infrastructure.

"The specifications are well written and I don't see much work that needs to be done," says Tony Nadalin, the co-author of WS-Trust and IBM's chief security architect. He says, however, the OASIS standardization process likely means the three specifications won't be finalized as standards for 18 months.

While WS-Trust supports the requesting and issuing of security tokens to establish trust between or among partners, WS-SecureConversation provides extensions to WS-Trust and WS-Security that secure communication across multiple Web services messages. WS-SecurityPolicy works in conjunction with WS-Policy and defines general security policy assertions that apply to other WS-Security protocols such as Simple Object Access Protocol messages, WS-Trust and WS-SecureConversation.

IBM and Microsoft co-authored WS-SecurityPolicy along with RSA Security and VeriSign. WS-Trust and WS-SecureConversation include co-authors Actional, BEA Systems, Computer Associates, Layer 7 Technology, OpenNetwork Technologies/BMC, Oracle, Ping Identity, Reactivity, RSA Security and VeriSign.

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Slideshows

IN PICTURES: Mitel A/NZ Channel event Sydney (+23 photos)

IN PICTURES: Mitel A/NZ Channel event Sydney (+23 photos)

Unified communications company, Mitel, invited its top 30 partners in A/NZ to the Intercontinental Hotel in Sydney’s Double Bay. This is the first time the broader A/NZ Mitel channel community have been together since the company re-branding back in October 2014, post Aastra acquisition. ARN received an invite to join attendees for drinks and canapés on the hotel rooftop as Mitel and its partners toasted their recent success.

IN PICTURES: Mitel A/NZ Channel event Sydney (+23 photos)
IN PICTURES: ARN Emerging Leaders Think Tank, Sydney (+40 photos)

IN PICTURES: ARN Emerging Leaders Think Tank, Sydney (+40 photos)

Twenty-one industry leaders came together with ARN staff for an Emerging Leaders Think Tank, held at The Bottle Shop in Sydney​. The aim of the planning session was to develop a compelling program for high potential leaders in the Australian ICT industry.​ Over two hours of strong debate a core line of thought evolved which will form the basis of the Emerging Leaders Forum to be held on May 17 in Sydney. Photos by MARIA STEFINA.

IN PICTURES: ARN Emerging Leaders Think Tank, Sydney (+40 photos)

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments