Software firms thrash out Web services security standard

Software companies will meet this week try and put their weight behind key security and interoperability standards in a bid to...

Software companies will meet this week try and put their weight behind key security and interoperability standards in a bid to overcome user fears and encourage Web services adoption.

Almost 60 companies will gather in California to apply for membership in a new technical committee (TC) being formed by the Organisation for Advancement of Structured Information Standards (OASIS) to address the WS-Security specification, said Kelvin Lawrence, engineer at IBM and co-chair of the OASIS WS-Security TC.

This follows an announcement last week from the Liberty Alliance Project that 30 more companies had joined its ranks, boosting total membership to almost 100 companies. The alliance is seeking to develop open interoperable specifications for federated network identity.

OASIS members wanting to join the WS-Security technical committee this week include BEA Systems, Cisco Systems, Intel, IBM, Microsoft, Sun Microsystems, Entrust, IONA Technologies, Novell, VeriSign, Netegrity, Oblix, SAP, RSA Security, Baltimore Technologies, OpenNetwork Technologies, Systinet and Documentum.

Originally created by Microsoft, IBM, and VeriSign, WS-Security is a set of extension to the Microsoft Soap Web services standard. It provides a framework to construct secure Web services and offer support for multiple security tokens, trust formats, signature formats and encryption technologies.

These efforts come as businesses express mounting concern at Web Services security. A recent report from analyst group Forrester said Web services would remain hidden in the back office until they could offer multiple levels of authentication and encryption, centralised authorisation and auditing, seamless message signing, and the ability to meet the requirements of external authentication services.

IBM's Lawrence said three documents would be discussed at the inaugural WS-Security TC meeting, including the original WS-Security specification and a submission by the OASIS SAML TC to examine how SAML, a standard for passing authentication information between organisations, would use WS-Security.

The group will also discuss lessons learned during a Web services interoperability test between Microsoft. Net and IBM WebSphere servers at the XML Web Services One conference in Boston last week.

A few missing attributes of the specification were cited, specifically the absence of a time stamp.

Lawrence said working groups within OASIS would tackle areas such as security event management, intrusion detection, ID management, and vulnerability assessments once a working draft of WS-Security is on the table.

Read more on Web software