WS-Security Specification for Web Services
IBM, Microsoft and VeriSign Announce New Security Specification to Advance Web Services
WS-Security Specification is the Cornerstone to Building Secure Web Services
Companies Will Jointly Submit Specification for Standardization
Redmond, WA, USA; Armonk, NY, USA; Mountain View, CA, USA. April 11, 2002.
Microsoft Corp., IBM Corp. and VeriSign Inc. today announced the publication of a new Web services security specification to help organizations build secure, broadly interoperable Web services applications. The three companies jointly developed the new specification, known as WS-Security, and plan to submit it to a standards body.
WS-Security is the foundation for a broader road map and additional set of proposed Web services security capabilities outlined by IBM and Microsoft today to tackle the growing need for consistent support of more secure Web services. The proposed road map, titled "Security in a Web Services World" and authored by Microsoft and IBM, outlines additional Web services security specifications the companies plan to develop along with key customers, industry partners and standards organizations.
WS-Security supports, integrates and unifies several popular security models, mechanisms and technologies, allowing a variety of systems to interoperate in a platform- and language-neutral manner in a Web services context.
WS-Security defines a standard set of Simple Object Access Protocol (SOAP) extensions, or message headers, that can be used to implement integrity and confidentiality in Web services applications. SOAP is an XML-based industry protocol for accessing Web services in a platform- and language-independent manner. WS-Security provides standard mechanisms to exchange secure, signed messages in a Web services environment, and provides an important foundation layer that will help developers build more secure and broadly interoperable Web services.
"Companies know they can achieve dramatic gains in productivity and cost effectiveness by automating business processes through Web services, but two key challenges stand in the way: interoperability and trust," said Dr. Phillip Hallam-Baker, principal scientist with VeriSign and a co-author of the WS-Security specification. "The industry is making solid inroads on the interoperability front, and the new WS-Security spec is among a series of open security specifications paving the way for widespread adoption of trusted Web services."
Piecing Together Components for Secure Web Services
In addition to the WS-Security specification, IBM and Microsoft also announced they are publishing a Web services security road map, titled "Security in a Web Services World." The document describes an evolutionary approach to security and defines additional, related Web services security capabilities within the framework established by the WS-Security specification that the two companies plan to develop in close collaboration with platform vendors, application developers, network and infrastructure providers, and customers.
Organizations can incorporate these new specifications, as needed, into the different levels of their Web services applications. The other proposed specifications include these:
WS-Policy, WS-Trust and WS-Privacy. WS-Policy will define how to express the capabilities and constraints of security policies; WS-Trust will describe the model for establishing both direct and brokered trust relationships (including third parties and intermediaries); and WS-Privacy will define how Web services state and implement privacy practices.
WS-Secure Conversation, WS-Federation and WS-Authorization. WS-Secure Conversation will describe how to manage and authenticate message exchanges between parties, including security context exchange and establishing and deriving session keys; WS-Federation will describe how to manage and broker trust relationships in a heterogeneous federated environment, including support for federated identities; and WS-Authorization will define how Web services manage authorization data and policies.
A modular approach to Web services security is necessary because of the variety of systems that make up today's IT environments. As the use of Web services increases among collaborating organizations using different security approaches, the proposed security and trust model provides a flexible framework in which organizations can interconnect in a trusted way.
This interoperable approach enables both the security technology and its business use to evolve. Accordingly, the road map describes how to support current and future security approaches. Organizations can choose the credential they wish to employ, and the process of adoption and deployment can be incremental.
"Providing the industry and our customers with a solid, open-standards based security model reinforces IBM's technology leadership and commitment to advancing secure Web services," said Arvind Krishna, vice president of security products, Tivoli Software, IBM. "Security is key to building and evolving the trusted infrastructures on which our customers run their businesses, and providing them with the necessary specifications to address end-to-end Web services security is crucial."
"Today's announcement of WS-Security is a major milestone on the road from today's situation, where Web services security is left as an exercise for the individual developer, to a world where we have broadly interoperable standards for Web services security," said Eric Rudder, senior vice president of the Developer and Platform Evangelism Group at Microsoft Corp. "WS-Security is another example of Microsoft's commitment and leadership in driving industry standards for Web services."
WS-Security is the foundation of the proposed Web services security architecture. Microsoft, IBM and VeriSign intend to submit the WS-Security specification to an appropriate standards body and anticipate subsequent implementations from multiple vendors. The combined Web services security model, specifications and standards process will enable businesses to confidently develop secure, interoperable Web services and to quickly and cost-effectively increase the security of existing Web services applications.
The WS-Security specification and the "Security in a Web Services World" road map are available on the following sites:
- IBM developerWorks: http://www-106.ibm.com/developerworks/library/ws-secure/
- Microsoft MSDN: http://msdn.microsoft.com/ws-security/
- VeriSign: http://www.verisign.com/wss/
VeriSign Inc. is the leading provider of digital trust services that enable everyone, everywhere to engage in commerce and communications with confidence. VeriSign's digital trust services create a trusted environment through four core offerings -- Web presence services, security services, payment services and telecommunications services -- powered by a global infrastructure that manages more than 5 billion network connections and transactions a day. Additional news and information about the company is available at http://www.verisign.com/.
IBM is the world's largest information technology company, with 80 years of leadership in helping businesses innovate. IBM software offers the widest range of infrastructure software for all types of computing platforms, allowing customers to take full advantage of the new era of e-business. The fastest way to get more information about IBM software is through the IBM home page at http://www.ibm.com/software/.
Founded in 1975, Microsoft is the worldwide leader in software, services and Internet technologies for personal and business computing. The company offers a wide range of products and services designed to empower people through great software -- anu time, any place and on any device.
Prepared by Robin Cover for The XML Cover Pages archive. See the 2002-04-11 news item "Microsoft, IBM, and VeriSign Promote WS-Security Specifications for Web Services."