Microsoft, IBM and Verisign have made the first step to secure Web
services by devising a way to add integrity and confidentiality
checking capabilities to upcoming Web services applications.
The jointly developed specification, called WS-Security, defines a
set of SOAP (Simple Object Access Protocol) extensions and
describes how to exchange secure and signed messages in a
Web-services environment, providing a foundation for Web-services
security, Microsoft, IBM and Verisign said in a joint
statement.
Web services are software applications or components linked
together over the Internet using a standards-based approach. SOAP,
itself based on XML (Extensible Markup Language), is one of the
protocols enabling this.
Microsoft, IBM and Verisign said the WS-Security specification will
be submitted to a standards body. No submission plan or date was
provided.
Microsoft and IBM added that they plan to develop a range of
security specifications for Web services together with key
customers, partners and standards organisations such as the World
Wide Web Consortium (W3C) and the Internet Engineering Task Force.
Six of the other proposed specifications are WS-Policy, WS-Trust,
WS-Privacy, WS-Secure Conversation, WS-Federation and
WS-Authorisation. These proposed specifications can be grouped into
two categories, with the first three dealing with defining security
policies, establishing trust relationships and implementing privacy
policies, and the last three handling the sending and receiving of
messages sent between Web services.
Microsoft, IBM and Verisign, after gaining an official stamp from a
standards body, expect implementations from multiple vendors. The
Web-services security model should enable businesses to develop
secure and interoperable Web services, the three companies said.
The security initiative is not the first joint Web-services
initiative involving Microsoft and IBM. In February the pair were
part of a consortium that formed the Web Services Interoperability
Organisation, a consortium with the goal of ensuring that vendors
developing products for Web services implement the most commonly
used standards in the same way.