A standards body developing security and policy improvements for the next version of a Web services-based registry specification stamped its work as an official standard on Thursday.
Universal, Description, Discovery and Integration 3.0, which includes the security and policy controls that were missing from earlier versions of the specification, gained final approval by the Organization for the Advancement of Structured Information Standards (OASIS). The ratified UDDI 3.0 specification was first drafted in 2002 and has gone through a number of editing changes since. The actual version sent out last month to a vote by the OASIS membership was labeled 3.0.2.
UDDI is a locator service that allows providers to list their Web services and allows users of those Web services to find them. The registry provides flexibility so application components can be "loosely coupled" and readily reused instead of hardwired together.
Experts say UDDI 3.0 is the first version of UDDI that is ready to handle the demands of a service-oriented architecture. UDDI was one of the original cornerstones of Web services, along with XML, Simple Object Access Protocol, and Web Services Description Language (WSDL), which all have collected much fanfare as UDDI struggled to mature.
"When we designed version 3.0 it was entirely enterprise-focused," said Luc Clement of Systinet, co-chair of the OASIS UDDI Specification Technical Committee. "Version 1 clearly wasn't ready. Version 2 -- we were making the transition, but it wasn't quite ready. But Version 3 is enterprise-ready." Clement says his committee is not done and is working on enhancements it calls V.Next, which could become a 3.1 version or the foundation for a 4.0 version.
"There is a lot of effort around complementing other standards," says Clement. Those efforts include work to map other specifications to UDDI, including Web Services Business Process Execution Language, Web Services for Remote Portlets, and Web Services Distributed Management. Those mappings would allow certain data to be stored in the registry, such as management information about a particular SOA.
Companies such as Motorola, The Hartford Financial Services Group and Charles Schwab Corp. have already adopted the 3.0 specification. Vendors such as IBM, Microsoft, Oracle, SAP and Computer Associates.
"Version 3.0 is focused on distributed and federated registries, and that is critical because that is the way UDDI will be deployed in the real world," says Jim Kobielus, an independent analyst and consultant. "UDDI registries in different domains will need to interoperate with each other." Key to those federations are UDDI 3.0 features like support for digital signatures that ensure the validity of registry information. "Without non-repudiation you could have spoofed entries in the registry."
That kind of security model is one of the hallmarks of UDDI 3.0, which has a security model based on a set of user-configured policies.
There are dozens of policies for such operations as access control, replication, subscription, delegation, data transfer rights, and UDDI keys, which are unique identifiers attached to each entry in the registry. Support for WSDL also has been added.
The support for the XML Digital Signatures standard provides assurances as to the source and integrity of data in the registry.
Version 3.0 is seen as the key for creating private, semi-private and public UDDI registries that could be integrated at various levels. It supports a multi-registry environment where private corporate directories can share select data with semi-private registries -- say, that of any industry hub -- and with public registries that can be used as root authorities to control the assignment of UDDI keys.
UDDI 3.0 also has new search parameters, such as a search for exact matches only, and a new subscription API that allows users to be notified of any changes to a specific registry entry and copy that change between registries. The specification also introduces a new information model.