IBM, Microsoft Deliver New Security Specs

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,793338,00.asp

By Darryl K. Taft
December 18, 2002 

Web services giants IBM and Microsoft Corp. Wednesday announced, along
with BEA Systems Inc., RSA Security Inc., VeriSign Inc. and SAP AG, a
new set of security and policy specifications based on the Web
Services Security road map that Microsoft and IBM developed last April
to help enterprises share information securely.

The first in the set of specifications includes WS-Trust, which
defines a framework for managing, setting up and assessing trust
relationships to enable Web services to securely interoperate, a
common way to access security services; WS-SecureConversation, which
defines a framework to set up a secure context for parties that want
to exchange multiple messages without having to continually
re-authenticate; and WS-SecurityPolicy, which defines general security
policies that can be associated with a service, said Karla Norsworthy,
director of dynamic ebusiness technologies at IBM. IBM, Microsoft, RSA
and VeriSign authored all three specifications.

The specifications fall into two categories, the companies said: those
that build on technical issues in the Microsoft/IBM road map (the
first three), and another group of three specifications that focus on
implementing business policies into Web services.

Scott Collison, director of Web services management at Microsoft, said
the new specifications are based on accepted standards in the areas of
the Simple Open Access Protocol (SOAP), security, transactions and
discovery to provide a framework for implementing business policy and
security for a broad set of applications. "This is the next wave of
our delivering specs in security," he said. "We're delivering some
additional specifications that are part of our execution against an
overall Web services vision to allow companies to have broadly
interoperable Web services regardless of the platform their
application sits on," he said.

"These are initial versions of the specs, so customers still need to
give their feedback," said Jason Bloomberg, an analyst with ZapThink
LLC, based in Cambridge, Mass. "There are no tools that support these
specs yet, so today's announcement is only one in a series of steps
that lead to the release of the specs to a standards body."

The second set of specifications includes WS-Policy, which outlines a
way for Web services senders and receivers to communicate their
requirements and capabilities, including the ability to search for and
discover the information they need to access the service;  
WS-PolicyAttachments, which provides a standard mechanism for
attaching requirement and capability statements to a Web service; and
WS-PolicyAssertions, which describes general policies that can be
affiliated with a service. BEA, IBM, Microsoft and SAP authored these
specifications.

"Policy is important across a broad set of disciplines, including
security but not exclusive to security," Norsworthy said. "A good
example is I might want to express policy that tells what human
language interface a Web service would need to expose to be
appropriate for particular end user. Or I might want to express policy
that tells what version of a standard like HIPAA [Health Insurance
Portability and Accountability Act] that a Web service in the medical
space needed to conform to in order for me to feel comfortable using
it."

"The specs are more the concern of people developing software, and we
implement them in a way that's seamless," Collison said.

Added Norsworthy: "The end goal is to make the time to implement this
technology shorter."

Overall, said Bloomberg, "These specs overlap some of the work that
the Liberty Alliance has been doing, which raised a red flag for me.  
SAP, VeriSign and RSA are members of Liberty as well, so you'd think
the two efforts would be working closely together, but apparently not.  
The WS-Security party line is that they hope Liberty will support
these specs, and they're anxious to get feedback from Liberty. Whether
their lack of early input from Liberty will create a political issue
remains to be seen, but it is a risk."

In a statement, Edward Cobb, vice president of architecture and
standards at BEA, said: "BEA has long supported the goal of secure
interoperability of Web services through the advancement of the
WS-Policy standard. This specification promotes a common industry goal
to help speed the adoption of Web services by delivering secure,
reliable interoperability guidelines that span platforms, applications
and programming languages."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.