Web services security specs hit the standards track

By Michael Meehan, News Writer 27 Oct 2005 | SearchWebServices.com

SAP news, tips and expert advice Digg This!     StumbleUpon     Del.icio.us

This is critical infrastructure for Web services and service-oriented architectures. Andrew Nash, chief technology officer, Reactivity Inc.

The first meeting of the OASIS Web Services Secure Exchange (WS-SX) Technical Committee is set for early December and the WS-Trust, WS-SecureConversation and WS-SecurityPolicy specifications will be up for review. Kelvin Lawrence, chief technology officer for emerging Internet software standards for IBM, will co-chair the committee after having shepherded the specifications along through their early development.

"Once you begin to share credentials and engage in extended conversations, it gets you that next step toward being more dynamic," he said.

No specific timetable has been set for when the specifications will be ratified, but Lawrence noted the initial WS-Security standard took 18 months to make the journey from submission to standard.

"And that was fairly fast," he said.

((Content component not found.))

WS-Trust establishes an XML syntax for managing credentials across secure domains. WS-SecureConversation will allow people to enter into multiple message conversations without having to go back to square one on the security checklist with each new message. WS-SecurityPolicy defines a general set of overarching security policies that can be associated with a Web service.

"The fact that we're getting them into the official standards process is enormously encouraging," said Andrew Nash, chief technology officer at Reactivity Inc., who co-authored the specifications. "This is critical infrastructure for Web services and service-oriented architectures."

In advance of the standards, Reactivity recently released an XML security gateway that performs some of the identity mapping between different credential formats that eventually will become the domain of WS-Trust. Lawrence said that he expects IBM's Tivoli and WebSphere product lines to feature some of the WS-SX functionality in advance of full ratification as well.

"We're trying to get stuff out so that people can use it," he said.

Miko Matsumura, vice president for technology standards at Infravio Inc., noted that customer demand for secure Web services tools has risen to the level where vendors have to get ahead of the standards work.

SOA and Web services news: Web services pioneer discusses SOA hardware and policy Eclipse SOA project inching closer to launch 1. What is SOA? SOA blueprints to aid early adopters

"It's kind of scary because people are trying to figure out how to build this infrastructure and the textbook's being written right now," he said. "It doesn't exist yet."

However, vendors are building to the proposed specifications, which have been up on IBM's developerWorks site for quite some time, which should minimize the amount of proprietary technology inside current toolsets. Ultimately, the goal of the WS-SX standards is to create a universal security system that can be linked to Web services and changed without having to change the code of the services themselves.

"You're trying to make the runtime environment even smarter," Matsumura said.

He added that these specifications should not be viewed as new technology that customers will have to learn in order to build an SOA.

"End users should only see these things as ingredients of products they will buy," Matsumura said. "They should never have to work with all these specifications themselves."

The main specification still missing from the WS-SX grouping is WS-Federation, which will provide security across multiple domains that do not share a single identity manager. Lawrence has estimated that standard won't start its standards body life for another year, but Nash would like to see it enter sooner.

"It becomes harder and harder to deal with federation the longer it stays out of the standards bodies," he said. "Ideally this would be worked in with the other standards."

Tags: SAP and enterprise service oriented architecture,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SAP and enterprise service oriented architecture In an upgrade to SAP ECC 6.0, when do integrated apps get upgraded? NetWeaver PI 7.1 easier to implement than earlier versions, SAP says Resolving app server connectivity problems for remote users Bucking the economic trend, HSBC embarks on NetWeaver PI project SAP NetWeaver training tutorial SAP NetWeaver Implementation Learning More About SAP NetWeaver SAP NetWeaver Configuration and Customization Baylor College of Medicine goes wireless with NetWeaver Mobile 7.1 SOA-backed spell check wins SAP Demo Jam

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Enterprise Services Architecture  (SearchSAP.com) NetWeaver  (SearchSAP.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary