The Importance Of Standards

If you doubted the importance of standards, let us tell you about all the standards activities occurring all around us, affecting what’s likely to happen next –- and how much attention they’re getting.

There are three different (but related, we think) items we’d like to report on here.

1. The announcement by IBM and Microsoft of proposed standards for Web Services Security.
   
   
2. A Status Report from WS-I, the Web Services Interoperability Initiative.
   
   
3. A tempest in a teapot, created by a misunderstanding over the status of some IP (intellectual property) submitted by IBM to OASIS as part of the ebXML standard.

All three of these have certain things in common.  They’re all related to Web Services.  They all involve IBM (and IBM’s Web Services’ spokesperson Dr. Robert Sutor) and, conversely, none of them involve Sun.  They’re all important because they point to our growing concern that if we’re going to get to the benefits of Web Services, we have to agree on a set of standards to guarantee the necessary level of interoperability. 

Web Services Security

IBM and Microsoft, the same partnership that brought you the WS-I, are now partnering with Verisign to get a Web Services Security standard, WS-Security, started.

They are proposing Web Services security standards and a road map that addresses same-domain and cross-domain secure messaging, together with a strategy for addressing security issues within a Web Services environment, addressing risks.

It includes

	A spec for WS-Security and several planned composable specifications, together with example scenarios.  These proposed specs are built upon existing foundation technologies such as SOAP, WSDL, XML Digital Signatures, XML Encryption and SSL/TLS.
	A definition for a comprehensive Web Services security model that supports integrates and unifies several popular security models, mechanisms, and technologies (public and private key).
	A description of how systems can interoperate in a platform- and language-neutral manner, together with descriptions of specifications and scenarios to help with the creation of the specifications.

To make the issues and solutions in the roadmap as concrete as possible, a number of scenarios or sample applications will be included for issues such as Access, Issuing and Accepting Security Tokens, Enforcing Business Policies, Privacy, Managing Clients of various types, supporting Federation, Validation, Delegation, and Auditing.

WS-Security works with multiple security approaches including  PKI, Kerberos, SAML, XrML, Basic/Digest, and SSL.  It is based upon the enhancement of SOAP messaging and is built on Web Services open standards as well as existing security standards such as SSL/TLS, IPSEC, W3C XML Digital Signatures, and W3C Encryption..

The Standard is designed to be built as a series of components, which developers and users can choose to select, depending on their particular needs.  These components will sit on top of the basic WS-Security specification and will include:

	WS-Policy - will define how to express capabilities and constraints of security policies
	WS-Trust - will describe the model for establishing both direct and brokered trust relationships (including third parties and intermediaries
	WS-Privacy - will be a model for how users state privacy preferences, and for how Web Services state and implement privacy practices
	WS-Secure Conversation - will describe how to manage and authenticate message exchanges between parties including security context exchange and establishing and deriving session keys
	WS-Federation - will describe how to manage and broker the trust relationships in a heterogeneous federated environment including support for federated identities
	WS-Authorization - will define how Web services manage authorization data and policies

Interoperability is, of course, key.  IBM and Microsoft plan to work closely with standards organizations, developer communities, web services technology providers, customers, and existing interoperability groups such as WS-I to develop interoperability profiles and tests to provide guidance.

The goal of WS-Security is to jumpstart the standardization program for Web services security in the same way that SOAP jumpstarted Web services itself.  The idea is to follow the same composable model as that used for Web Services standards and to enable interoperable solutions that will support heterogeneous solutions and existing systems. 

It is hoped that this will get an industry discussion going and get a WS-Security standard “baked” to the point where, like SOAP, it could become a W3C submission, with broad industry participation and backing.

WS-Security was officially announced on April 11.  Some product implementations in the form of vendor SDK’s or tool kits are expected soon, perhaps in the summer or fall or 2002.  IBM, for example, has updated the Web Services toolkit, to include WS-Security.  Information is available at www.alphaworks.ibm.com/tech/webservicestoolkit .

A copy of the specification itself is posted at www-106.ibm.com/developerworks/security/library/ws-secure/. 

A Status Report On WS-I

Meanwhile, the Web Services Interoperability Organization has announced the formation of three key working groups.  This will permit WS-I to begin pursuing its goals, to help developers and users determine how to best implement Web Services against existing and evolving standards so as to insure interoperability across platforms, applications, and programming languages.

The initial three Working Groups include:

The Basic Web Services Profile Working Group will identify a core set of specifications (including XML Schema, SOAP, WSDL and UDDI) that provide the foundation for Web services, and will establish conventions and recommendations for coordinating their use.

	The Sample Applications Working Group will provide sample applications of basic Web services to accelerate deployments.  These sample applications illustrate best practices for implementation and will be developed in multiple programming languages using multiple development tools. Sample applications serve as working examples for companies planning to implement Web services.
	The Test Materials And Tools Development Working Group will develop a suite of self-administered tests to verify conformance with the Basic Web Services Profile.  These tools and materials can be used to ensure that Web services interoperate across platforms, applications and programming languages.

WS-I hopes that the first set of Working Group deliverables will be available in the Fall of 2002.

As we noted in a previous issue, more than 500 organizations have asked WS-I for membership information.  As of this week, more than 100 companies have joined, including ISV’s of every size and type, systems companies, systems integrators, and user organizations.

Information about WS-I and membership is available at (http://www.ws-i.org). 

A Tempest In A Teapot Over ebXML, IBM, And Royalties

Under the OASIS submission process, IBM was required to identify any of its submitted IP that was patented or expected to be patented.  Some of the IP which IBM submitted for ebXML falls into this category and therein lies a tale.

ZDNet has been running a series of articles suggesting that IBM and Microsoft have been plotting to “set up a tollbooth on the Internet.” (http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2861123,00.html).  One of these stories http://zdnet.com.com/2100-1106-884681.html suggested that IBM might try to collect royalties on the patented code in its ebXML submission.

But it turns out this was simply a misunderstanding.  IBM had followed the OASIS process, ZDNet had asked IBM to comment and an IBM spokesperson, filling in for the absent Dr.Sutor offered a comment which failed to say a firm “No.”  We tracked down the vacationing Dr. Sutor, who assured us that it was never IBM’s intention to charge a royalty on this IP and who must have followed up his conversation with us with some further work, because we’ve seen postings on the OASIS site at http://lists.ebxml.org/archives/ebxml/200204/msg00004.htm  explaining the situation and ZDNet has posted a further explanation, too.

In the process, we got a chance to practice evolving disclosure on our weblog at http://amywohl.weblogger.com (and to receive a little flame mail, but that’s part of life on the web).   

We also got a chance to try a new web product which we’d like to bring to your attention. Google has published access to the www.google.com search engine as a Web Service.  Cape Clear has, using Web Services, created GoogleMail.  We mailed our search terms, “IBM ebXML” in the subject line of a message to google@capeclear.com.  Google automatically sends back the top ten results via e-mail.  We can report it worked just fine, providing links to all the articles as they were posted.

(back to top)