Want CNET to notify you of price drops and the latest stories?

Web services security spec locked down

XML standards body OASIS ratifies WS-Security as a standard, considered a milestone in making Web services a viable alternative to proprietary security systems.

Martin LaMonica Former Staff writer, CNET News
Martin LaMonica is a senior writer covering green tech and cutting-edge technologies. He joined CNET in 2002 to cover enterprise IT and Web development and was previously executive editor of IT publication InfoWorld.
Martin LaMonica
2 min read
A very anticipated Web services specification has been approved as an industry standard, paving the way for broader usage of Web services protocols in mainstream business applications.

The Web Services Security, or WS-Security, technical committee within the Organization for the Advancement of Structured Information Standards (OASIS) on Wednesday said several security-related technical specifications have been accepted by the group as standards. Now that the Web services security specifications are ratified, software and security companies can incorporate support for them into commercial products.

Web services protocols use XML to make it easier to share data between applications. The goal of the WS-Security specification is to improve interoperability between different security systems using these Extensible Markup Language-based protocols.

Get Up to Speed on...
Web services
Get the latest headlines and
company-specific news in our
expanded GUTS section.

IBM and Microsoft originally authored a Web services security "road map" about two years ago. Then, in June 2002, the specification was submitted to OASIS for further development. Other security-related specifications aimed at better system interoperability are also under way at the World Wide Web Consortium and the Liberty Alliance.

Once business applications use WS-Security, Web applications should be able to share information regarding network access. For example, a system should be able to authenticate the identity of a person connecting to several networks at once or pass data between two applications securely.

The ability to share security information such as access privileges between applications will help promote Web services usage, particularly between trading partners that use the Internet to share corporate data, analysts said. Without reliable and interoperable security systems, businesses will be wary of fully moving their corporate applications to Web services standards, according to analysts.

WS-Security is expected to be used in a wide variety of products, including XML firewall products, Web services management software and network access security products.

One company involved in the development of WS-Security said ratification of the standard will help clarify which security standards have the most industry support from vendors.

"Many Web services security standards have emerged, creating confusion in the market. By relying on well-established and proven industry standards such as WS-Security and SAML (Security Assertion Markup Language), companies can securely expose Web services," Marc Chanliau, a product manager at Netegrity, said in a statement.

Another standards organization, the Web Services Interoperability (WS-I) organization, plans to publish guidelines on how to implement security standards to ensure interoperability later this year. WS-Security will be one of the standards the WS-I will be incorporating into its security "profile," according to the WS-I.