The release marked another step in a broad plan the vendors outlined in April to address the security concerns many corporate users have raised about Web services, which can help disparate systems exchange data through XML-based messages sent via the Simple Object Access Protocol.
Analyst Jason Bloomberg of research firm ZapThink said the move would boost user confidence in launching Web services. The vendors driving the latest standards "are doing what they said they were going to do, and they are on track", he said.
The latest specifications focus on Web services security and policies. For example, a policy might be that one company accepts only Security Assertion Markup Language tokens for authentication, or that a Web service is available only to members of an airline's frequent-flier programme.
BEA Systems and RSA Security joined IBM, Microsoft and VeriSign in working out the latest specifications. Their collective efforts will now be subject to a public review and comment period.
After that, plans call for the specifications to be revised and submitted to a standards body, according to Karla Norsworthy, director of dynamic e-business technologies at IBM.
The vendors were expected eventually to support the standards in their products so corporate users would not have to implement any of the standards themselves directly.
"They shouldn't kill themselves on understanding the specs in detail," said Scott Collison, director of Web services marketing at Microsoft. "The main takeaway for them is that [they will have] advanced security capabilities. They will have control over policy."
"When they're trying to solve business integration problems within their enterprises or with partners, the fact that things are standards-based will make the integration time substantially shorter for them," said Norsworthy. "This is a real accelerator for being able to achieve that integration via Web services."
Norsworthy said IBM planned to build the infrastructure that supported the expressions of various policies into its WebSphere and Tivoli product lines. She added that the ultimate goal would be to allow one Web service to send its policies to another Web service and establish communication.
Similarly, the security specifications would help companies with disparate security infrastructures establish trust relationships and communicate.
Pierre Fricke, an analyst at DH Brown Associates, called Wednesday's announcement an "important progress point" and said he expected products supporting the standards to start emerging in the second half of 2003.
"People can deploy Web services today with existing infrastructure," Fricke said. "What these security initiatives do is lower the pain of interconnecting disparate security systems by producing a common standard."
The latest security specifications include the following:
- WS-Trust, which describes a framework for managing, establishing and assessing trust relationships so Web services can securely interoperate.
- WS-SecureConversation, which describes a framework to establish a secure context for parties that want to exchange multiple messages.
- WS-SecurityPolicy, which describes security policies that can be associated with a service.
Specifications designed to streamline the implementation of business policies in a Web services setting are as follows:
- WS-Policy, which describes how senders and receivers of Web services can communicate their requirements and capabilities.
- WS-PolicyAttachment, which aims to establish a standard way for attaching the requirement and capability statements to a Web service.
- WS-PolicyAssertions, which describes general polices that can be associated with a service.