Hi, Chris and Kelvin -
Can you shed any light on the confusion this article produced, at least
among our PR folks, over just what constitutes "WS-Security"? Do I
misunderstand the role of the WSS TC in OASIS, or have we published a new
collection of specifications for which I missed the
discussion?
Is there some reason the rest of us, not evidently one of "a few
partners", should not be thoroughly pissed?
Thanks for your prompt response, and best wishes for the
holidays...
Ed
=============================================
WS-Security specs make
their debut
By Brian Fonseca and Ed Scannell
December 18, 2002
5:29 am PT
HOLDING TRUE TO its self-anointed mission to enable
secure Web services between applications, organizations, and end-users, IBM
and Microsoft joined a few partners on Tuesday to announce the publishing of
the first in a set of planned WS-Security specifications.
With
assistance from VeriSign, BEA Systems, and RSA Security, the new
specifications focus specifically on business policy and security as the first
salvo in implementing WS-Security.
Announced in April, WS-Security
serves as a documented model of Web services capabilities for tackling
potential roadblocks of the technology, including reliable messaging, security
transactions, discovery, and orchestration, noted Scott Collison, director of
Web services marketing, for Redmond, Wash.-based Microsoft.
The
specifications unveiled on Tuesday include WS-Policy, WS-Trust, and
WS-SecureConversation, also joined by WS-SecurityPolicy, WS-PolicyAttachments,
and WS-PolicyAssertions.
"We are getting broad consensus on these
specifications, and it is our full intention to implement these specifications
so that our customers get what they want in the areas of Web services," said
Collison. "The other part is doing some things around policies so that
businesses implementing Web services have more control over how they express
policies to their partners and customers who want to interact with them."
For policy concerns, WS-Security designers wanted to create a generic
policy framework in addition to the ability to express security policy. These
components comprise WS-Policy. The specification WS-Policy Attachments
describes how a policy is attached either to an instance of a Web service or
to the Web services as a whole. For example, a policy might only be available
to end-users with a certain credit rating or people who would use a particular
security token.
WS-Trust allows a Web service to communicate within an
environment regardless of the type of security server that exists in a common
way, for instance establishing communications between a Kerberos server and a
PKI server.
Lastly, WS-SecureConversation enables users to set up a
"secure context" and eliminate re-authentication for each request or message
made after gaining initial access to a Web service.
Although he
expressed surprise that WS-Security designers decided to delay addressing any
sort of privacy as part of the first specification roll-out, Jason Bloomberg,
senior analyst for Waltham, Mass.-based ZapThink, said Tuesday's announcement
is nonetheless important due to the continued cooperation of major IT vendors
to follow up promises of standardizing WS-Security.
"Now customers get
to review the specifications and give feedback and vendors have to build
tools, so IBM and Microsoft will be rolling out [WS-Security] tools," said
Bloomberg. "Once the standard moves along and [the] specification becomes a
standard, then you'll find multiple vendors using WS-Security-compliant
products. By no means do IBM and Microsoft have a lock on this."
===============
Edwards E Reed, Security Tzar
Novell, Inc.
+1
585 624 2402 - Rochester
+1 617 914 8011 - Cambridge
+1 585 750 2960 -
Cell