Web services spec invites controversy

The Microsoft-backed WS-Federation security specification could complicate the movement to build Web services standards and could create a rival to the Liberty Alliance Project.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Stephen Shankland
3 min read
A Web services security specification, introduced this week by IBM and Microsoft, could emerge as a rival to the existing Sun Microsystems-backed Liberty Alliance Project.

A group of major players on the Web services landscape, including IBM, Microsoft, BEA Systems, RSA Security and VeriSign, announced the WS-Federation security specification on Tuesday.

The specification allows software developers to establish a common way to build Web services that work with a variety of security schemes. The goal is to allow a person to log on to business systems once and gain access to multiple applications. The companies behind the WS-Federation specification said that by using the spec, developers can create "trust relationships" across companies to smooth electronic commerce transactions.

For instance, a sales representative could log on to a local purchasing application and gain access, through secure Web services, to databases located in the offices of a business partner. Typically, such transactions would require separate logons and network access permissions from partners.

While analysts agree the need for a specification such as WS-Federation exists, they add that the WS-Federation largely re-creates work already done by Sun and other companies as part of the Liberty Alliance. The new specification could complicate the movement to build Web services industry standards by creating overlapping and competing movements, analysts say.

"The last thing the industry needs are two different security/ID specifications," said Jason Bloomberg, an analyst with market researcher ZapThink. Bloomberg and Ron Schmelzer, also with ZapThink, said that a potential standards rivalry could be hurtful to the industry at large.

"Security is the primary concern of Web services users today," said Schmelzer. "If we see proliferation of multiple specifications backed by the big players, it could cause confusion and slow down end user adoption."

A Liberty Alliance representative said WS-Federation handles at least some of the same chores as Liberty's specification.

"There's got to be some overlap there," said Britta Glade, vice chairwoman of the Liberty Alliance's business and marketing expert group. "It focuses on federated identity. That's what we've been focusing on for two years."

Sun--whose two biggest rivals are Microsoft and IBM--launched Liberty at the behest of Visa International, but the effort is now controlled by many companies. There is no unwillingness to incorporate others' technology in Liberty, Glade said, adding that the group incorporated some of the work by an earlier Microsoft-IBM Web services effort, WS-Security.

Microsoft's director of Web services, Steven VanRoekel, downplayed concerns about competition between the specifications. VanRoekel said that WS-Federation members see the two standards as complementary rather than opposing.

"Liberty addresses one scenario around consumer interactions and the sharing of opt-in information; WS-Federation exists more at a foundational level, enabling the movement of information throughout Web services," he said. "I think it won't be hard for the two to coexist."

VanRoekel also indicated that the WS-Federation standards effort will dovetail with existing authentication and ID management strategies at the software giant, including its Microsoft Identity Integration Server, which he said would be "enabled" by the new specification.

However, the WS-Federation group didn't contact the Liberty group, despite the similarities between the two specifications. "Microsoft and IBM did not formally approach the Liberty Alliance," said James Vanderbeek, chairman of business requirements group and senior manager of strategy at mobile phone service operator Vodafone--which is a member of Liberty.

Vanderbeek hopes the two groups might yet work together, aided by the fact that RSA, BEA and VeriSign are members of both groups.

"I believe the best path forward is for the Liberty Alliance and the (WS-Federation) group to work together," Vanderbeek said. "Some members from Liberty are also members of WS-Federation. We see that as a bridge to hopefully drive convergence fairly quickly."

The Liberty specification is in use in 20 products today with another 14 coming by early 2004, Glade said. The Liberty group submitted its specification to the OASIS standards body in April. That group has 170 members, including some, such as Vodafone, American Express and General Motors, that plan to use Liberty internally.

Schmelzer said he believes backers of both specifications will try to work together on some level, with each group potentially asserting that the other standard could operate under its own guidelines.