Web Services Secure Exchange (WS-SX)
OASIS Members Form Committee to Advance Standards for Web Services Secure Exchange (WS-SX)
Actional, Adobe, Amberpoint, BMC Software, BEA Systems, Computer Associates, DataPower, Forum Systems, HP, IBM, Infravio, IONA, Microsoft, Nokia, Novell, Oracle, Reactivity, Ricoh, Sarvega, SAP, SOA Software, Sonic Software, Systinet, TIBCO, VeriSign, webMethods, and Others Refine WS-Conversation, WS-SecurityPolicy, and WS-Trust
Boston, MA, USA. October 26, 2005.
Members of the OASIS international standards consortium announced plans to define extensions to the WS-Security OASIS Standard that will enable the trusted exchange of multiple SOAP messages and will define security policies that govern the formats and tokens of those messages. The new OASIS Web Services Secure Exchange (WS-SX) Technical Committee brings together users and vendors in an open process to refine and finalize a set of specifications based on three initial contributions, WS-SecureConversation, WS-SecurityPolicy and WS-Trust. Other contributions and changes to these input documents will be accepted for consideration without prejudice or restriction and evaluated based on technical merit.
"In order to meet the growing demands of secure Web service messaging, we need facilities beyond what is provided in the WS-Security OASIS Standard," explained Kelvin Lawrence of IBM, proposed co-chair of the OASIS WS-SX Technical Committee. "WS-Security describes a base mechanism for securing SOAP messages. With WS-SX, we'll concentrate on trust brokering, multi-message exchanges, and policies that describe how to secure message exchanges with a Web service."
With input from the entire community, the OASIS WS-SX Technical Committee will advance a set of modular specifications that standardize the concepts, WSDL documents, and XML Schema renderings for trusted brokering of SOAP message exchanges, shared security contexts, and security policies. WS-SecurityPolicy defines a general set of security policies that can be associated with a Web service. WS-Trust provides a description for managing, establishing and assessing trust relationships between parties exchanging information. WS-SecureConversation serves as a building block to create a secure context for organizations to exchange multiple messages without constantly reauthenticating.
"The WS-Security OASIS Standard describes how to use security tokens to obtain message integrity, confidentiality, and authentication of the message sender, but in order to use these mechanisms, tokens must be obtained and trust brokered. Furthermore, a mechanism is needed to describe security exchange patterns," noted Chris Kaler of Microsoft, proposed co-chair of the OASIS WS-SX Technical Committee. "WS-Trust and WS-SecurityPolicy include additional primitives to enable the obtaining of tokens and brokering of trust relationships as well as expressing supported security exchange patterns as policy expressions associated with SOAP endpoints."
By advancing the specifications within OASIS, WS-SX developers are able to work in close proximity to related projects also underway at the consortium, including the OASIS Web Services Reliable Exchange (WS-RX), Web Services Transaction (WS-TX), and Web Services Security Committees. Participants in the OASIS WS-SX Committee intend for their work to be readily composable with these other specifications.
"The WS-Security OASIS Standard was designed to be a highly extensible method," observed James Bryce Clark, director of standards development at OASIS. "WS-SX will provide further extensions to enable functions such as policy expressions and long-running conversations. These will augment the X.509, username, SAML, and other token profiles already available for WS-Security. "
The OASIS WS-SX Technical Committee will operate under Royalty Free on RAND Terms, as defined by the OASIS Intellectual Property Rights Policy. The Committee's first meeting will be held 7-8 December 2005, and participation remains open to all companies, non-profit groups, and individuals. As with all OASIS projects, archives of the Committee's work will be accessible to both members and non-members, and OASIS will host an open mail list for public comment.
Support for WS-SX
"Ensuring that Web services can be used for mission critical solutions in the enterprise is vital," said Dan Foody, CTO of Actional. "Many mission critical applications require transactional integrity, and with the advent of WS-TX, these applications can be designed and built to use Web services — all while being interoperable across vendors."
"CA is pleased to participate in the OASIS WS-SX Technical Committee. As one of the early contributors to the specifications that lead to the creation of this committee, CA recognizes the need for the standardization of trust between federated business partners and plans to implement those standards in CA's IAM products as they become available," said Bill Bartow, senior vice president of eTrust Identity and Access Management at CA.
"The OASIS WS-SX Technical Committee represents a significant step forward in creating a composable Web services architecture," said Mamoon Yunus, CTO of Forum Systems. "WS-SecureConversation, WS-SecurityPolicy, and WS-Trust help establish the necessary security context for exchanging multiple messages, resolving security token incompatibility, and defining interoperable security policy expression. With WS-SX, security underpinnings necessary for enterprise-class SOAs are closer to realization."
"We continue to see increasing demand for secure Web services from our clients deploying advanced SOA solutions," said Karla Norsworthy, vice president, IBM Software Standards. "The specifications contributed to the OASIS WS-SX Committee provide customers the ability to establish trust relationships that span long running exchange and provide interoperability for real world scenarios."
"Today's announcement represents another significant step toward simplifying the development of secure, interoperable systems based on Web services," said Ari Bixhorn, Director of Web Services Strategy for Microsoft. "The broad industry support for this charter shows our continued commitment to providing a Web services architecture that enables customers to address their ever-changing business needs."
"Nokia is pleased to see these specifications submitted to an open standards organization," said Frederick Hirsch, Senior Architect at Nokia. "We would like to see convergence of standardization in this area to enable the adoption of services that require these standards."
"Identity technology is a critical aspect of the Internet, and Novell is committed to providing secure interoperability within Web services infrastructure," said Kent Erickson, Novell vice president, Identity and Resource Management. "We recognize the security of Web services is important as we identity-enable the Internet. We look forward to collaborating with other leading software vendors so our customers can increase the security of their systems and improve their agility to meet their ever-changing needs."
"Oracle is deeply committed to developing and supporting the development of open standards, and Web services security is a particularly keen interest to us," said Oracle Vice President, Identity Management, Roger Sullivan. "By participating in the OASIS WS-SX Committee we will play a key role in providing the standardized mechanisms organizations need to interoperate in a secure and trusted Web services environment."
"The WS-SX specifications will enhance Web services security through advanced support for collaborative business solutions," said Michael Bechauf, Vice President of SAP NetWeaver Industry Standards. "As one of the world's leading provider of business software solutions, we believe that interoperability of policy-driven security runtime configurations and improved messaging security are important building blocks of the Enterprise Services Architecture (ESA)."
"The work performed by the OASIS WS-SX Committee will essentially complete the triumvirate of secure, reliable and transactional Web services required for real-world, business-to-business communication using SOA," said Alistair Farquharson, SOA Software CTO. "We are pleased to participate in this work as it will help to standardize much of the work we have already done through the creation of the XML VPN concept and products."
"Security remains one of the top issues among enterprise IT executives adopting SOA," said Roman Stanek, Founder, Systinet. "This new standard will go a long way toward alleviating their concerns, and Systinet is pleased to support OASIS on this initiative."
"Missing from today's Web services messaging is an accepted standard for brokering trust between parties in a SOAP message exchange," said Matt Quinn, vice president, Product Strategy, TIBCO Software, Inc. "In order to advance Web services adoption and enable the establishment of trusted relationships between senders and receivers, protocols around message integrity, confidentiality and authentication must be established. The OASIS WS-SX Technical Committee, comprised of the industry's leading authorities on both IT security and open standards-based computing, will work to unite disparate efforts and achieve industry consensus to overcome this challenge." Quinn added, "As an active participant in OASIS, TIBCO is committed to furthering the development and adoption of standards that drive technology innovation."
"While the WS-Security OASIS Standard provides an important protocol for securing SOAP messages, it fails to cover all of the important usages of SOAP today," said Marc Breissinger, vice president and Chief Architect, webMethods Inc. "The OASIS WS-SX Technical Committee is charged with addressing many of these issues, including trust brokering, multi-message exchanges, and the need for policies describing how to secure message exchanges with a Web service. Based on our continuing support for key industry standards and our long-term recognition of the need to derive business value from Web services, webMethods is proud to support this initiative."
OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. The consortium produces open standards for Web services, security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 5,000 participants representing over 600 organizations and individual members in 100 countries. Approved OASIS Standards include AVDL, CAP, DITA, DocBook, DSML, ebXML CPPA, ebXML Messaging, ebXML Registry, OpenDocument, SAML, SPML, UBL, UDDI, WSDM, WS-Reliability, WSRP, WS-Security, XACML, and XCBF.
OASIS WS-SX Technical Committee
Cover Pages Technology Report on XML and Security
Note: The formation of this OASIS Technical Committee corresponds to certain details announced by IBM and Microsoft in July 2005: see the news story "Microsoft and IBM Announce Submission of Security Specifications to OASIS."