News

Web Services Security wins final OASIS approval

• By Rich Seeley
• April 22, 2004

Web Services Security, Version 1.0 (now called WS-Security 2004 or WSS for short) won final approval this week from OASIS, the Boston-based international standards consortium. The security standard for Web services was backed by major industry players, including IBM, Microsoft, Oracle, SAP, Novell, Sun Microsystems, BEA Systems, Computer Associates, Verisign, RSA Security and others.

It also won the endorsement of Gartner analyst Ray Wagner, who as part of the OASIS announcement said, "enterprises should adopt WSS formatting for all across-the-firewall Web service deployments, even in cases where no security needs have been identified. Gartner believes that WSS will be the standard for the majority of Web services, and committing to it now will allow enterprises to easily modify the security profile of deployed Web services in the future."

WSS was built on current XML security technologies, including XML Digital Signature, XML Encryption and X.509 Certificates, according to OASIS. It is designed to provide authentication and authorization for secure message exchange between Web services.

"WSS handles complex confidentiality and integrity for SOAP messages, providing a general-purpose mechanism for associating security tokens with message content," the OASIS announcement said. "Designed to be extensible, WSS supports multiple security token formats."

Microsoft's Chris Kaler, co-chair of the OASIS WSS Technical Committee, pointed out in the announcement that WSS will allow Web services applications to "share information regarding network access regardless of the underlying platform." He predicted that this will lead to "broader adoption of Web services."

His fellow WSS co-chair, IBM's Kelvin Lawrence, explained the importance of the open standard. "A client might provide one format for proof of identity and another format to verify their business certification. Using WSS, a system can authenticate the identity of a person connecting to several networks at once or pass data between two applications securely."

More information on the newly approved standard is available at http://www.oasis-open.org/committees/wss.