Wait for security before building Web services

Before building sophisticated Web services users should wait for the Web Services Security specification to be finalised,...

Before building sophisticated Web services users should wait for the Web Services Security specification to be finalised, according to the specification's co-author.

IBM, Microsoft and VeriSign announced the WS-Security specification in April. It was then passed to the Organization for the Advancement of Structured Information Standards (OASIS). A technical committee working to advance WS-Security will hold its first face-to-face meeting later this week.

Phillip Hallam-Baker, principal scientist at VeriSign, has been helping to develop the WS-Security Web services security standard. His advice to anyone considering building Web services across the Net is to wait: He says it is likely to take between six months and two years to nail down the WS-Security specification that he helped to write.

What is needed before users can start building sophisticated Web services that traverse firewalls?
Hallam-Baker: At the moment, you can use Secure Sockets Layer that provides security. However, SSL limits the type of Web-service-type applications you can run to an incredible degree. So Web services security will be a key enabler. We really need a way of expressing what the security contexts are in terms of WSDL (Web Services Description Language).

Why is the security context significant for Web services?
Hallam-Baker: Knowing that a service supports authentication is very important because otherwise what can happen is you ask a question to the service, and the man in the middle takes the response back and takes all of the authentication information. It just says, "oh, by the way, I don't do authentication". So you then say, "if you don't authenticate, I'll just do it the old way". This is called a downgrade attack and it is a problem when you have secure systems and insecure systems cooperating together. People can always downgrade you to the insecure.

Is someone working on this issue?
Hallam-Baker: There are people who are looking at WSDL. Nobody has put a proposal out there in public yet. I think you will see that as soon as you've got WS-Security started.

Are Web services getting too complicated for the average IT shop to do?
Hallam-Baker: I believe that what you will see is we will do an incredible amount of stuff with it. People will save a significant amount of money. And yes, there are going to be problems that will need a different approach.

If, however, we can get 80% of our supply chain integration problems solved and the 20% remaining are the even harder problems, well, we'll have another round. It's like painting the Golden Gate Bridge. As soon as painting is completed at one end it is time to start again at the beginning. However you can still use the Golden Gate Bridge even though painting needs doing at the other end. With Web services, we don't need a 100% solution but we have got a very good 80% to 90% solution.

Read more on Web software