Sun switches gears on security

Microsoft, IBM and VeriSign submit a security specification for Web services to an industry standards body, a move that has won the backing of an unlikely supporter: Sun.

4 min read
Microsoft, IBM and VeriSign have submitted a security specification for Web services to an industry standards body, a move that has won the backing of an unlikely supporter: Sun Microsystems.

WS-Security is a 2-month-old technology that encrypts information and ensures that data passed between companies remains confidential. Its three creators--Microsoft, IBM and VeriSign--said Thursday they have submitted the specification to a standards body called the Organization for the Advancement of Structured Information Standards (OASIS).

Sun had been devising its own rival Web services security specification, but the royalty-free licensing of WS-Security specifications allayed Sun's concerns, a source familiar with the negotiations said.

Sun will now focus all its development work on WS-Security and work with its rivals to improve the specification through the OASIS group, said Bill Smith, Sun's director of Liberty Alliance technology.

"They're taking WS-Security into a recognized, open industry organization, and Web infrastructure on a royalty-free basis is an important thing as well," Smith said. "You should expect Sun to actively participate in this forum. We will bring whatever we have that can help fill out WS-Security. This is where (the security work) is being done."

Sun's support of WS-Security alleviates concerns about a possible standards war over Web services security. Proponents of Web services have feared that industry squabbling could derail the much-hyped movement. Every software maker has touted Web services as the future of software because such services allow companies to interact and conduct business via the Internet. But Web services won't work unless the entire tech industry coalesces around a single set of standards.

Analysts have said lack of security is the biggest obstacle to the adoption of Web services--and that WS-Security took a big step in addressing the issue. Besides WS-Security, IBM, Microsoft and VeriSign plan to build five more security specifications in the next year and a half to provide additional security measures that businesses may need for Web services.

Although Smith declined comment on it, sources said Sun had been quietly working on its own security specification that was royalty free. Over the past several months, Sun executives had expressed concern that IBM and Microsoft might charge "tolls" to developers--in the form of royalties on patents--for using two existing Web services specifications: the Simple Object Access Protocol (SOAP) and Web Services Description Language (WSDL). Neither Microsoft nor IBM has formally stated a desire to charge royalties on the standards, which are in part based on patents held by them.

Despite the accord on security specs, continued political battling among Sun and IBM and Microsoft could still sidetrack an industry consortium's efforts to promote Web services. Such efforts focus on ensuring that software from many technology makers is compatible.

The organization, called the Web Services Interoperability (WS-I) Organization, is working on a proposal to pave the way for Sun to join on equal footing with WS-I founding board members Microsoft and IBM. The group is considering a proposal that would allow Sun to be elected as a founding board member. But to be considered for a founding board member spot, Sun has to first join the organization, which now has more than 100 companies supporting its efforts, WS-I organizers say. Sun has thus far refused to join unless it's offered a position as founding board member.

And there is still some duplication of efforts between rival camps. Sun on Wednesday released a Web services specification that mimics previous ones created by Microsoft and IBM. Sun released the Web Services Choreography Interface (WSCI), which describes how multiple Web services can work together within and between businesses. Microsoft and IBM have previously built competing languages called Xlang and Web Services Flow Language (WSFL), respectively.

Nevertheless, Smith said Sun's support of WS-Security could mean an era of goodwill between the rival companies.

"I'm hoping it's a harbinger of good things to come," Smith said. "We've made no secret of our views on the need to do things on an open and royalty-free basis. We will continue to advocate that and are very happy to be able to work cooperatively with these other folks. I'm hopeful we can do more. Time will tell."

Executives from Microsoft and IBM said they welcomed Sun's involvement.

"This is a definitive statement of our progress to solve the core challenges in Web services, and one of the core challenges is fragmentation," said Steven VanRoekel, Microsoft's director of Web services technical marketing. "This sends a message that the industry players want to join together to solve XML and collaboration problems and stop the perceived notions of fragmentation."

Karla Norsworthy, IBM's director of dynamic e-business technologies, agreed. "This is a significant step to have Sun and all the partners join us," she said. "We have been hearing from our customers that security and interoperability are the two things they need to see for Web services."

As for WS-Security, other companies such as Baltimore Technologies, BEA Systems, Cisco Systems, Documentum, Entrust, Intel, IONA, Netegrity, Novell, Oblix, OpenNetwork, RSA Security, SAP, and Systinet say they will also support the security specification and will work within the OASIS group to further improve the technology.

In the coming weeks, VeriSign will donate an open-source version of WS-Security to SourceForge.net, a Web site for developers, a VeriSign representative said. Open source allows anyone to modify and distribute software.

OASIS, which has strong ties with businesses in different industries, has developed many e-business standards, including Security Assertion Markup Language (SAML), a security and authentication specification that could complement WS-Security. OASIS and a United Nations organization last year co-developed Electronic Business XML, or ebXML, which allows companies in many industries to communicate over the Web.

VanRoekel said Microsoft, IBM and VeriSign have not yet determined where they will submit the remaining five security specifications they have in the works. Microsoft and IBM previously submitted SOAP and WSDL to the World Wide Web Consortium (W3C).

News.com's Stephen Shankland contributed to this report.