News

WS-I Security Spec set for public comment

• By John K. Waters
• May 24, 2004

The Web Services Interoperability (WS-I) Organization has released the working-group draft of its Basic Security Profile for public comment, the group announced last week. The Basic Security Profile focuses on delineating guidelines for key aspects of WS-Security, a core security specification that enables interoperability between other Web services security standards and security protocols that was ratified as a standard by OASIS in April. When final, the Basic Security Profile will serve as a guide for the use of Web services security standards and technologies in the development of interoperable Web services.

The security profile is part of the WS-I's I Basic Profile, which specifies the standards and technologies required for interoperability between Web services implementations running on different software and operating system platforms. The group released the Basic Profile in August of last year, along with sample applications and testing tools, and now it is 'moving up the stack,' explained WS-I board member Andy Astor, VP of strategic solutions at webMethods.

'The Basic Profile gives the market the ability to develop and buy Web services with confidence that they will interoperate,' Astor told eADT. 'But there currently is no guarantee, or even an expectation of interoperability, of the security aspects of those services. Consequently, there's a limitation as to how mission-critical their capabilities will be. By adding security, we are beginning to move up the stack from Basic Profile through the various components that are going to get us to industrial-strength Web services.'

The Basic Security Profile lays out a set of interoperability guidelines primarily for two technologies: HTTP over TLS, and SOAP Message Security. HTTP over TLS is a point-to-point technology that protects the confidentiality of all information that flows over an HTTP connection. SOAP Message Security provides security protection for SOAP messages and applies even when a message passes through several intermediary waypoints, allowing differing levels of protection for selected portions of a message. The Basic Security Profile describes a way to apply SOAP Message Security to attachments.

The WS-I made the announcement at the Gartner Application Integration and Web Services Summit last week in Los Angeles. The public feedback phase of the group's process is critical, Astor said.

'WS-I is a member-driven organization,' he explained. 'We work on the things that our members say are the most important. But we are also very much driven by the marketplace. Any spec we say is final is not just vetted by our membership, but also by the market in general. And there are a lot of companies out there that have chosen not to become members that are still very interested in Web services standards. By giving them the opportunity to provide feedback, it'll just be a better spec.'

The WS-I Basic Security Profile Working Group Draft can be reviewed at http://www.ws-i.org, and feedback may be submitted to mailto:[email protected] .