FRAMINGHAM (04/28/2000) - The second version of the messaging interoperability protocol Microsoft Corp. is proposing as a standard method of communication between information systems built on different technologies embraces more industry standards than the first version, but still lacks specifications for security, message routing and multicasting.
Last year, Microsoft, introduced the first version of the Simple Object Access Protocol (SOAP) along with developer training company DevelopMentor Inc. and technology publisher UserLand Software Inc. as a way to let applications exchange messages and function calls. IBM Corp. and its Lotus Development Corp. have joined the development team supporting the latest version, SOAP 1.1.
SOAP 1.1 supports message transport using the standard Simple Mail Transport Protocol and IBM's MQSeries message-oriented middleware, as well as File Transfer Protocol and TCP/IP, and extends SOAP's asynchronous messaging capabilities.
"SOAP is just a submission" today, said James Kobielus, an analyst at Burton Group Inc. in Alexandria, Virginia. "It could take one or two years before there is a consensus draft in this area," he said. It's a good proposal, he added, "but it's Microsoft. There's always knee-jerk resistance to anything Microsoft proposes as a universal standard."
IBM had been critical of the first version of SOAP, released last fall, but has come around to supporting it, which is the result, said IBM XML Program Manager Robert Sutor, of Microsoft's willingness to retreat from its own version of protocols and embrace industry standards. The new version embraces the "XML schema coming from the Worldwide Web Consortium (instead of) a Microsoft flavor of XML," Sutor said.
But the specification says "methods for integrity and privacy protection" are not included. There are not yet any means to ensure data integrity, prevent electronic snooping, nor authenticate the sender. Digital certificate support using the X.509 specification, which had been rumored to be in development, did not show up in this version.
The protocol's great flexibility makes such security extremely important, however.
SOAP supports remote procedure calls (RPC), which let software on one machine use services or exchange data with software on a remote machine.
Based on XML and HTTP, SOAP messaging allows such communication between systems using different internal technology, such as Microsoft's Component Object Model (COM), Enterprise JavaBeans or older languages such as Cobol.
It has potential for use in e-commerce Web transactions between businesses, such as ordering from a catalog or getting authorization for a credit-card purchase.
And, because its messaging functions use HTTP, SOAP traffic should be able to slide right through most firewalls, which are set up to let HTTP traffic enter.
That open door lets legitimate business partners remotely activate code and exchange information, but would also let hackers in, security experts say.
Security will come, said IBM's Sutor. SOAP is a starting point, he said, intended to evoke comment and refine the protocol.
It doesn't work to try to fully develop a standard and then test it, he said.
"You need a number of working drafts, and with each successive draft, you address different issues."
"I think it could take one or two years before there is a consensus draft in this area," Kobielus agreed.
IBM this week will post a Java implementation of SOAP on its AlphaWorks Web site and provide source code, Sutor said.
Microsoft last year announced its forthcoming BizTalk Server, developed for transporting and routing XML documents between companies, would be based on SOAP.
The proposed standard may be submitted to the International Engineering Task Force or to Worldwide Web Consortium when it meets in Amsterdam May 17, but SOAP developers hope to present it first to ebXML standards bodies meeting next week, Sutor said.