News

Microsoft, IBM and others unveil new security specs

• By John K. Waters
• July 14, 2003

The Web services security and identity management market got a bit more complicated last week as IBM, Microsoft, VeriSign and RSA Security jointly unveiled a new proposed specification. The WS-Federation spec is designed to standardize the way companies share user and machine identities among disparate authentication and authorization systems and across corporate boundaries.

The joint effort was revealed last week during the Burton Group's Catalyst conference (www.burtongroup.com) in San Francisco. Officials from the group said that they soon plan to submit the proposed spec to a standards body.

WS-Federation is actually the fifth specification published by Microsoft and IBM, which began working together on Web services security back in April 2002. In September, the two companies, along with 15 partners, submitted a security protocol called WS-Security to the OASIS standards organization. Since then, the companies have published other specifications -- WS-Policy, WS-Trust and WS-SecureConversation -- intended as part of an overall security framework.

The WS-Federation spec comprises three components: the Web Services Federation Language, which defines mechanisms used to enable identity, account, attribute, authentication and authorization federation across different trust realms; Passive Requestor Profile, which describes how the cross-trust realm identity, authentication and authorization-federation mechanisms can be utilized by passive requestors, such as Web browsers, to provide Identity Services; and Active Requestor Profile, which defines how the cross-trust realm identity, authentication and authorization federation mechanisms are used by active requestors such as SOAP-enabled applications.

Although few would argue against the need for Web services security and ID standards, the WS-Federation seems to cover territory already marked by Sun Microsystems and other companies supporting the Liberty Alliance Project. The Liberty Alliance comprises more than 170 companies, non-profit groups and government organizations. It was formed to develop and deploy open, federated network ID standards that support current and emerging network devices. The emergence of overlapping specifications is likely to complicate the process of establishing true standards for Web services security and identification, analysts say.

For its part, the Liberty Alliance last week released a set of guidelines designed to further the adoption of federated identity. The Liberty Alliance Business Guidelines define four major requirements the alliance believes businesses must consider in the context of identity federation, including mutual confidence, risk management, liability assessment and compliance. The complete guidelines are available from the Liberty Alliance Web site at www.projectliberty.org