Leading Web-Services Vendors Propose Specs For Security And Policy

Leading Web-services vendors, including Microsoft, IBM, and BEA Systems, have introduced a set of proposed standards for security and policy for Web services.

The companies, also including RSA Security, SAP, and VeriSign, on Wednesday introduced six specifications built on the Simple Object Access Protocol.

WS-Trust describes a framework for managing trust relationships between enterprises. WS-SecureConversation describes technology for setting the context for exchanging multiple messages without having to reauthenticate each time. WS-SecurityPolicy provides standards for setting security policies for services. These standards were authored by IBM, Microsoft, RSA, and VeriSign.

Additionally, WS-Policy sets specifications for senders and receivers of a Web service to communicate requirements and capabilities to search for and discover information needed to access the service. WS-PolicyAttachment provides specifications for attaching requirement and capability statements to Web services, and WS-PolicyAssertions describes policies that can be affiliated with a service.

The standards are based on the Web Services Security road map that Microsoft and IBM developed in April to help companies share information securely.

Important specifications still being developed include WS-Federation, which provides a means of describing the trust relationship between organizations, and WS-Privacy, which sets specifications for privacy policies, says Gerry Gebel, an analyst with the Burton Group.

Sun Microsystems and Oracle were absent from development of the proposed specifications. Gebel says the two vendors' absence won't prove significant in the long run.

Says Gebel, "The way the authors are going about it, their plans are to submit to a standards organization where Sun, Oracle, Entrust, and everyone who's now out of the picture can work on standardizing the specification in a more open and organized framework."