OASIS fuels security agenda

Determined to nail down key security and interoperability standards, the broad base of support for official standards bodies is swelling to counter enterprise apprehension regarding Web services adoption.

This week, 95 individuals representing 56 different companies will meet in Redwood City, Calif., to apply for membership in a new TC (technical committee) being formed by the Organization for Advancement of Structured Information Standards (OASIS) to address the WS-Security specification, said Kelvin Lawrence, distinguished engineer at Armonk, N.Y.-based IBM Corp. and co-chair of the OASIS WS-Security TC.

Lawrence said a complete list of accepted members will appear on the OASIS Web site after the meeting. OASIS members that have proposed TC participation include BEA Systems Inc., Cisco Systems Inc., Intel Corp., IBM, Microsoft Corp., Sun Microsystems Inc., Entrust Inc., IONA Technologies PLC, Novell Inc., VeriSign Inc., Netegrity Inc., Oblix Inc., SAP AG, RSA Security Inc., Baltimore Technologies PLC, OpenNetwork Technologies Inc., Systinet Corp., and Documentum Inc..

Originally created by Microsoft, IBM, and VeriSign, WS-Security proposes a standard building-block set of SOAP extensions to construct secure Web services and offer support for multiple security tokens, trust formats, signature formats, and encryption technologies.

The security standards effort taps into a long-held enterprise concerns. According to a Forrester Research Inc. report released in June, Web services will remain hidden in the back office until multiple levels of authentication and encryption, centralized authorization and auditing, seamless message signing, and consumption of external authentication services desires are met.

IBM's Lawrence said three input documents will be discussed at the inaugural WS-Security TC meeting, including the original WS-Security specification and a submission by the OASIS SAML TC to examine how SAML will utilize WS-Security.

A WS-Security addendum will also be introduced as a result of "lessons learned" during a Web services interoperability test between Microsoft. Net and IBM WebSphere servers at the XML Web Services One conference in Boston last week.

A few missing attributes of the specification were cited, specifically the absence of a time stamp.

Lawrence said smaller working groups within OASIS should appear to tackle areas such as security event management, intrusion detection, ID management, and vulnerability assessments once a working draft of WS-Security is on the table.

Some security experts question the level of sincerity in the initial outpouring of WS-Security support.

"OASIS has become a popularity party," said Ron Schmelzer, senior analyst at Boston-based XML and Web services research company ZapThink LLC. "It has less to do with 56 [companies] having something to really contribute than it has to do with 56 [companies] wanting to jump on the bandwagon."

Still, the rush to participate in security standards development is at a fever pitch.

Last week, the Liberty Alliance Project announced that 30 companies joined its ranks -- boosting total membership to more than 95 companies -- to develop open interoperable specs for federated network identity.

According to Rob Cheng, senior iPlatform analyst at Redwood Shores, Calif.-based Oracle Corp. and co-chair of the Web Services Interoperability (WS-I) organization's marketing committee, the WS-I is on track to produce Version 1.0 of its WSBasic profile, which will feature sample applications and testing tools, in the fourth quarter. A profile is a set of best practices designed to bridge the gap between standards organizations and end-users.

Security unaddressed

OASIS attempts to solve standards complexity, problems.

* Early adopters risk unknowingly exposing Web services interfaces to critical data.

* Poor security will keep Web services hidden in back office.

* Development of dynamic partner links has been hindered by security.

Source: Forrester

Join the newsletter!

Error: Please check your email address.

More about Baltimore TechnologiesBEABEA SystemsCiscoDocumentumEntrustForrester ResearchIBM AustraliaIntelIona TechnologiesLiberty AllianceMicrosoftNetegrityNovellOblixOpenNetworkOpenNetwork TechnologiesOracleRSA, The Security Division of EMCSAP AustraliaSun MicrosystemsSystinetVeriSign Australia

Show Comments

Market Place