Bring on the Web services war

VeriSign CEO Stratton Sclavos says a battle over standards and specs could work wonders in making Web services ready for prime-time consumption.

Charles Cooper Former Executive Editor / News
Charles Cooper was an executive editor at CNET News. He has covered technology and business for more than 25 years, working at CBSNews.com, the Associated Press, Computer & Software News, Computer Shopper, PC Week, and ZDNet.
Charles Cooper
8 min read
Stratton Sclavos has seen this movie before. Just as a new technology begins to see the light, the computer industry gets roiled by a divisive battle over standards and specifications.

Such was the case with Unix. A few years later came the operating system war between Microsoft Windows and IBM's OS/2. Now history looks like repeating itself with Web services technology--but Sclavos, the CEO of VeriSign, believes that may not be such a bad thing after all.

"I'd much rather there were wars with all of those 'Our specs are better than yours, our features are better than yours,' because there will be so much innovation brought to bear," says Sclavos, whose Internet security services firm is best known for registering domain names.

What's more, he said, any platform war over Web services will look much different from previous industry food fights because most of the difficult conceptual issues have already been agreed upon. Now he says it's a question of fine-tuning iterative improvements.

CNET News.com recently caught up with Sclavos to talk about his expectations for Web services in 2003 as well as the general state of Internet security.

Q: How safe is the Internet against major attacks?
A: As it relates to every other network, it's a pretty damned resilient network--but it's not impenetrable. The two servers we run around the roots of the Internet were (running at) about 70 percent capacity during the denial of service attacks a few weeks ago. That's not too bad. I think five or six of them completely crashed. So you do have some things that are not yet optimized around this stuff.

The bigger concern is whether the open Internet allows someone into a network that is less resilient--into a power grid, for example, or into a water treatment plant. Because the Internet now has an open connection, and somehow you can figure out a way to get into that other network that was thought to be secure before. That's where the greater risk is. It' s not the Internet itself, but to what the Internet now allows access.

You've had time to digest the government's cybersecurity plan, and VeriSign was consulted during the planning. How well do you think Uncle Sam did in meeting the concerns of the parties concerned and still getting something in place that had teeth?
This was a no-win proposition for them. It was either going to come out too soft or too hard. We were involved, all along the way, in the discussions on our input and how our infrastructure works and the rest.

The bigger concern is whether the open Internet allows someone into a network that is less resilient--to a power grid, for example, or to a water treatment plant.
I do think what they came out with was absolutely as good as it could be expected in round one. They've gotten comments in the last few weeks and will be revving it. But I think it is right to have a set of guidelines and best practices, and then it's right to see government lead with its own implementation.

What will change in the next tweak and beyond?
A greater focus on education, because that's what this is all about. Nobody dismisses the fact that we need greater security, but it's (about) how do I--as consumer, business, ISP (Internet service provider)--do what's right? And how do I deploy this stuff without impacting my user experience?

Was the final plan watered down because of outside pressures?
Of course it was. It's funny now. I recently met with some folks from the White House about this, and they say the comments they received back are along the lines of, 'You should have been tougher out the door.' Well, the comments they received the week before were like, 'You can't mandate or stipulate anything.' So it's one of these things where it will be an iterative process and will get better and better.

More important than what the document says, is what the government does. Do they themselves start to deploy and use the same kinds of security technologies they talk about being important in that report? They're talking about raising their budgets from $2.7 billion to $4.5 billion around security; if they spend that money and create those services using this stuff, then others will follow.

In other words, the question boils down to whether they will eat their dog food?
In our own business, we've gone from one sales (representative) to probably a team of about 10 covering the federal and public sector in the last year. There's been a dramatic amount of activity. The budget's huge, and the focus on security is much more heightened than it has ever been. So I think the prospects are that they are going to do it. It will take a while, but there seems to be a renewed focus, and it looks like it's gaining traction.

Let's turn to Web services, a subject which is getting a lot of ink and one where VeriSign has been active. You've said that you don't view a platform war in Web services as being particularly bad. Why not?
Anytime there is an area of technology that attracts attention so that the biggest players are trying to stake out a position so early, it generally means that we're about to see a lot of time, a lot of mind-share and a lot of money spent to develop out the supporting infrastructure.

But it also suggests that more fragmentation is on the horizon, doesn't it?
Well, it certainly could, but go back and look at the Windows versus OS/2 period. OK, Windows won. But the fact that there were two of them at that time--and also at the same time Macintosh and Open Doc initiatives and compound documents--it created kind of a self-fulfilling momentum around getting new things done.

I'd much rather there were wars with all of those 'Our specs are better than yours, our features are better than yours,' because there will be so much innovation brought to bear. And the best will win over any initiative that may be very innovative, but that none of them care about (so) we end up wasting a lot of time.

I'd much rather there were wars with all of those 'Our specs are better than yours, our features are better than yours,' because there will be so much innovation brought to bear.
Then is there anything different about the platform wars, past and present?
This is the other differentiation from prior platform wars. We do have generally agreement on standards. We have SOAP (Simple Object Access Protocol) being used, and we have the security standards pretty well-baked. So now it's a question of who can build the better integrated platform, with the better toolset--to expose that for developers, as opposed to who's got the coolest way to do an XML (Extensible Markup Language) message or who's got the coolest way to do security. I think that will tend to balance out all the 'specsmanship' that would have been played in prior initiatives. This time we may get it to be a little more balanced, because they don't feel they can go back and stop the train.

In this new world order, VeriSign functions as Switzerland. So which of the players do you think has the best approach to Web services?
Let's not ask the best approach. Let's ask which ones have the flywheel turning on all the pieces that are going to be needed to be there--the developer tools, the platform itself, the standards compliance and the marketing messages.

I've got to tell you that I'm very impressed with what Microsoft is doing around the .Net initiative. There's been lots of noise and negative buzz about Passport and Hailstorm early on, but the underlying framework of .Net is a very solid platform. And they are obviously doing a lot of development work to build that in.

I am also impressed with what IBM has done. Rather than be the integrator of many other folks' technologies, as they were in the early 1990s, they have become really a thought-leader in Web services.

Which makes the better argument: WebSphere or .Net?
Again, as Switzerland, I would tell you the differences in the arguments are more over 'market-ecture' rather than over technology differences. So I think it will be who has the sales forces to make this stuff fly with both developers and customers.

Do you think security regarding Web services is becoming less of an issue for chief technology officers?
No, it's more important than it's ever been to these CTOs, because they are exposing so much more of their businesses.

If you were handing out grades, where does the industry need to improve in order to receive an A on Web services?
We had a situation where you had features masquerading as products, and products masquerading as companies. A lot of that fervor is gone, and the economic downturn accelerated, so that we're kind of now at a point where budgets will start to be spent again. They will be spent first on reinventing what people have in a Web services environment to help them get more efficiency and more reach. And then you'll see new projects come online.

To get to us to an A is just a matter of a lot of hard work at the standards level, to get tools shipping and platforms being upgraded--this stuff takes time on the platform side.

But do you think CTOs are going to dig into their pockets to spend in a big way any time soon? The standard refrain seems to be that if a product is not going to immediately leverage their existing investments, then don't call.
Yes, they're only spending when necessary. And that's healthy. Security is one of the top three things they're talking about spending on, so they can expose those interfaces out to the network. I think discretionary builds on any new projects--you're not going to see much of that until 2005.

It used to be, "How are we going to reach new customers and generate more revenue?" I think we've got another two years of the "I can rip more cost out." They'll spend where there's zero time to cost recovery.

What are the top priority items that need to get squared away before Web services becomes ready for prime time?
If we don't come back by the end of next year and say we did what we said we'd do, then I think we will have missed a huge opportunity.

Are you satisfied with the way the standards bodies are dealing with Web services?
Yeah. This is the cool thing to be talking about in the standards bodies. You have Oasis, the W3C (World Wide Web Consortium), and the IETF (Internet Engineering Task Force) in some ways debating who should be the driver rather than saying they don't want to deal with it. So, I think Web services is getting plenty of love.