Web services defined as big wigs move towards standards

Work is now officially underway by the World Wide Web Consortium to hammer out a formal framework for Web services.

In its first face-to-face meeting last week, the recently formed W3C Web Services Architecture Working Group began crafting a paper that will, among other things, describe what Web services are, the technologies needed for them, how they'll interact with each other, and how to address privacy and security. The paper is due out by the end of the year.

Eventually, when approved by the W3C, the architecture specified could be adopted by vendors of development tools, application servers, databases and packaged applications. For enterprise network shops, this should translate into Web services that are easier to create and that can easily work with each other.

Last week, some 60 representatives from more than 40 vendors and corporations met in person, after about two months of telephone conferences, which were designed to give the assembled working group a starting point for discussion. Corporate members include Boeing, ChevronTexaco, DaimlerChrysler Research and Technology, and W.W. Grainger. Vendors include BEA Systems, Compaq, Contivo, IBM, Intel, Microsoft, SAP, and Sun Microsystems.

Initially, the group is defining a Web service as an application identified by a URL that has an interface that can be defined, found, and used by XML-based objects, and that works directly with other similar applications using XML-based messages over Internet protocols.

An array of W3C groups are addressing various Web services technologies, such as XML, the Web Services Definition Language (WSDL) and Simple Object Access Protocol (SOAP), said Dave Hollander, CTO of data integration software maker Contivo and a member of the architecture group.

Meanwhile, Microsoft, IBM and VeriSign announced this week a joint effort to form new standards for addressing security concerns that many corporate users have raised about Web services.

Web services aim to help companies link their applications to the often disparate systems of their partners and customers through XML-based messages sent via the SOAP. But few companies have been rushing to build Web services, and one of their oft-cited concerns has been the lack of a solid security model.

Officials from Microsoft, IBM and VeriSign said they hope the new specification they have co-authored, called WS-Security, will serve as a starting point for tackling the problem. WS-Security in part calls for support of World Wide Web Consortium standards for XML message encryption and digital signatures. The specification also serves as the foundation for a broader road map of additional security standards that the vendors plan to work on with other industry participants.

"You have to start somewhere," said Bob Sutor, IBM's director for e-business standards strategy. "This is our intellectual contribution to get this started."

The road map published by IBM and Microsoft defines additional standards they intend to pursue and turn over to appropriate standards bodies at a later date. Those include WS-Policy, for defining capabilities and constraints in security policies; WS-Trust, for establishing direct and brokered relationships; WS-Privacy, for implementing privacy practices; WS-Secure Conversation, for managing and authenticating message exchanges; WS-Federation, for managing and brokering trust relationships in heterogeneous environments that use different security models; and WS-Authorisation, for defining how Web services manage authorisation data and policies.