WS-Sec tries for standard status, Sun backs effort

A security specification being developed to add standard security mechanisms to emerging Web services technology was submitted to a standards body Thursday, and has drawn the support of a growing number of vendors.

First unveiled in April through a partnership between Microsoft Corp., IBM Corp. and VeriSign Inc., the specification known as WS-Security is now on its way to becoming a recognised standard for securing applications and services that are delivered over the Internet. The Organization for the Advancement of Structured Information Standards, also known as OASIS, has agreed to form a working group that will take over crafting WS-Security, the companies announced. OASIS, in Billerica, Massachusetts, is an organization whose membership includes IT vendors, trade groups and government bodies, and creates standards for information exchange technologies for electronic commerce.

The WS-Security specification defines a standard set of SOAP (Simple Object Access Protocol) extensions, or message headers, that can be used to set security levels in Web services applications. It allows these applications to incorporate a variety of different security technologies such as digital signatures and encryption, said Steven VanRoekel, Web services technical marketing director for Microsoft.

In a move that signals greater industry cooperation around building a standard infrastructure for Web services, Sun Microsystems Inc. Thursday announced that it would back WS-Security and take part in the OASIS working group.

"When approached about the possibility of doing that, we were pleased with the request, and determined very quickly that it was something that we did want to support," said Bill Smith, director of Web services technology at Sun.

The addition of Sun is a departure from some recent industry wrangling about the development of standard technologies for delivering applications and services over the Internet. A consortium of companies including Microsoft and IBM launched the Web Services Interoperability Organization, or WS-I, in an effort to ensure that Web services from competing vendors work together. While it has been steadily accruing new members, Sun has yet to join.

For one, Sun executives have criticised Microsoft and IBM in the past for releasing specifications designed to be standard technology protocols, such as SOAP and WSDL (Web Services Description Language), under licenses that would allow them to charge royalties to companies that incorporated those standards into their products. Both IBM and Microsoft reaffirmed Thursday in interviews that they have no intentions to collect royalties on those technologies.

In any case, due to rules set by OASIS, WS-Security technology, and therefore SOAP and WSDL extensions for WS-Security, will not be allowed to be covered by licensing terms that would permit royalties. That was a major reason Sun agreed to participate, the company said.

"We are very supportive and almost insistent that all of the technology developed to implement the Web infrastructure be available on a royalty-free basis," Smith said.

In addition to Sun, 17 companies have expressed plans to participate in the OASIS development effort. They include Baltimore Technologies PLC, BEA Systems Inc., Cisco Systems Inc., Entrust Inc., Intel Corp., IONA Technologies PLC, Netegrity Inc., Novell Inc., Oblix Inc., OpenNetwork Technologies Inc., RSA Security Inc.

In related news Thursday, VeriSign announced that it plans to publish the source code of its implementations of the WS-Security specification in the coming weeks, a company spokesman said. The implementation from VeriSign will include a set of APIs (Application Program Interfaces) that will allow developers to start building secure Web services.

Other vendors are working on their own implementations of the WS-Security specification. Both IBM and Microsoft said they have released early documentation around their efforts and plan to release products that incorporate the technology within the year.

VeriSign said it has nearly completed work on its version and will make it available for free download at, an open source developer community Web site.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Baltimore TechnologiesBEACiscoE*TradeIBM AustraliaIntelIona TechnologiesMicrosoftNovellOblixOpenNetworkOpenNetwork TechnologiesOrganization for the Advancement of Structured Information StandardsRSA, The Security Division of EMCSEC

Show Comments