News Stay informed about the latest enterprise technology news and product updates.

Q&A: IBM unlocks the details behind WS-Security

Even though the Web services industry is the hottest IT segment going, the one issue holding back widespread Web services deployments has been security. That was, until last week, when Microsoft, IBM and VeriSign publicly released WS-Security, a preliminary specification for securing public Web services. Karla Norsworthy, IBM's director of dynamic e-business technology, recently explained to SearchWebServices why IBM thinks WS-Security will be just as crucial to Web services as SOAP, WSDL and UDDI.

Can you explain what the WS-Security specification actually is?
The announcement consisted of two things. One is the WS-Security specification, and the other is a roadmap for where we feel Web services are going. WS-Security is a full Web services security spec, and we expect lots of conversation on it. It's focused on the first layer of security that needs to be addressed. This is the first step that gets around integrity and confidentiality and also security tokens. Can you put integrity, confidentiality and security tokens in context?
These would allow two Web services to do basic things. For instance, if you and I were going to send SOAP messages between each other, I could validate that the message came from you. The standard covers encryption as well, so if we wanted to keep something confidential, we could encrypt the data in the SOAP message. And, we'd have a common way to validate whatever security method we'd want to use with our SOAP message. The security standard gives you a token so that if you love PKI, you can use PKI. If you've got Kerberos, you can use that. Do you have a timetable for completing the future security specifications discussed in the roadmap?
I would say we'll work with the industry to figure out the exact timetable, but we'd envision having these specs across the whole roadmap over the next 12 months. You'll see implementations from various companies, and releases of products in upcoming releases. We do want to get the full industry involved on this roadmap, so as we develop single specifications (in the future) we meet the wide variety of business requirements for security. What can Web services developers do with this new specification today?
IBM has put a copy of its Web Services Toolkit (which provides an implementation of the SOAP security token and digital signature components of the WS-Security specification) out on its developerWorks site, so developers can begin to learn how to use it in applications today. Can you explain the second piece of the WS-Security announcement, the long-term roadmap for securing Web services?
To solve the security problems is going to take several steps. The first stage is the spec we're discussing, WS-Security. As we started to work on that spec, we went though a large number of customer scenarios. This is a good first step, but to really meet all the different customer scenarios, we'll have to discuss things like policy and trust. The roadmap provides a high-level description of what the content needs to be in those specifications. In the next level of the roadmap we talk about specs that express those concepts, and at the top level we get into federation where we're talking about how to federate these various security specs to give us the right performance across all these security solutions. Even though WS-Security is the combination of two technologies from IBM and Microsoft, why not invite other companies interested in Web services, such as Sun or HP, to participate?
Well we will certainly get input from a broad set of industry players as we work on this, but in our experience, the best way to do this is to start by get a small number of companies to put a specification on the table. If you think back to the way we originally developed UDDI, a small number of partners released a specification and we then released that to a large number of partners. We expect that same kind of evolution here. Is this standard only applicable to Microsoft technology or is it applicable to Java-based Web services as well?
Certainly at IBM we ship a lot of Java-based Web services, so the technology is applicable to all Web services. Our implementation that you'll see on developerWorks is based on a Java-based implementation of Web services. We started out with one of our key goals being to improve interoperability for Web services. So when customers use Web services, one could be implemented in Java, another in another language using Microsoft technology, and they could still achieve interoperability using those two services. Do you believe this protocol will be as important to Web services as SOAP, WSDL and UDDI, and if so, why?
I believe it will be because of what I hear back from my customers, which is that they really do need security to take Web services to that next level of deployment. The two issues that stand out with customers are that they want interoperability assurances and they want security. They've got to have a standards-based way to ensure security across Web services. We think this is essential. Why did IBM, Microsoft and VeriSign choose to release this standard publicly first and not to a standards body?
This is the typical way that we develop standards. We'll often work with a small number of other companies to come up with a proposal. Ultimately it'll go to a standards body. We'd like to get feedback from a larger community, take it to the next level, and then take it to a standards body like the W3C or OASIS.


CLICK for our Best Web Links on Web services security

CLICK for our Featured Topic on Web services security

CLICK for columnist Preston Gralla's take on Web services security

CLICK for more articles by Eric B. Parizo

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.