IBM, Microsoft and VeriSign Release SOAP Security Spec.

A Matter of Trust

Today at Microsoft’s TechEd developer conference in New Orleans, IBM, Microsoft and VeriSign announced a new specification and roadmap for securing messages based on the Simple Object Access Protocol. The companies hope the effort will promote the use of more Web services technologies within enterprise organizations.

Currently available for download on the IBM, Microsoft and VeriSign Web sites, the new specification is called WS-Security. It has been released in conjunction with a new white paper, which documents a long-term plan for developing six additional security specifications around SOAP. The white paper, titled “Security in a Web Services World,” was written by IBM and Microsoft and outlines a plan for creating what the companies call “trusted Web services.”

Web services has been one of the technology industry’s hottest topics over the past year, as the concept revolves around interoperable computing standards that promise to solve many of the systems integration problems enterprises commonly face. So far, the Web services movement has spawned three widely accepted standards: SOAP; Universal Description, Discovery and Integration (UDDI); and Web Services Description Language (WSDL). But most enterprises remain reluctant to implement Web services in mission-critical environments, largely due to the lack of security features for SOAP.

Of the enterprises currently working with Web services, most are doing so to integrate disparate applications and systems inside the firewall. However, much of the appeal of Web services lies in its ability to foster external integration with business partners and customers.

Deborah Hess, a senior analyst with Gartner Inc., says security is key to the evolution of Web services. She says decisions need to be made on how to secure SOAP messages if a viable business model is to emerge around the technology.

“If you look at where the market for components was five or six years ago, that’s where Web services is now,” says Hess. “All of the technologies are in a really amorphous stage.”

With WS-Security, and the development of more standards on that foundation, IBM, Microsoft and VeriSign expect to resolve many of the concerns about the encryption and authentication of SOAP messages.

“That we were able to come together and agree on this specification, I think is a good sign that we’re going to get a fairly good amount of industry support,” says Bob Sutor, director of e-business strategy for IBM.

Marcie Vervin, director of enterprise services for VeriSign, says the feedback process for the specification is expected to be complete within the next three to four months, at which time WS-Security will be submitted to an independent standards body for review.

The other specifications indicated in the joint IBM, Microsoft white paper will address a variety of different security issues, particularly having to do with policy and authentication. Sutor says most of them should be ready for publication by year end.

WS-Security uses the XML digital signature and XML encryption specifications currently working their way through the World Wide Web Consortium review process. And it also brings together different parts of five other security specifications previously released by IBM and Microsoft. In fact, one of the specifications on which WS-Security is based was released by Microsoft late last year, also with the name WS-Security. “[WS-Security] unifies what we were experimenting with, with the other five specifications,” says Sutor.

The other specifications outlined in the IBM, Microsoft white paper include, on the policy end, WS-Policy, WS-Trust and WS-Privacy. WS-Policy will define how to express the capabilities and constraints of security policies. WS-Trust will describe the model for establishing both direct and brokered trust relationships (including third parties and intermediaries). And WS-Privacy will define how Web services state and implement privacy practices.

And on the authentication end the specifications are, WS-Secure Conversation, WS-Federation and WS-Authorization. WS-Secure Conversation will describe how to manage and authenticate message exchanges between parties, including security context exchange and establishing and deriving session keys. WS-Federation will describe how to manage and broker trust relationships in a heterogeneous federated environment, including support for federated identities. And WS-Authorization will define how Web services manage authorization data and policies.

Sutor says he expects the policy specification to be published over the next few months, while the specs around authentication will take a bit longer to develop.

About the Author

Matt Migliore is regular contributor to He focuses particularly on Microsoft .NET and other Web services technologies. Matt was the editor of several technology-related Web publications and electronic newsletters, including Web Services Report, ASP insights and MIDRANGE Systems.