As you may have read here last week, Cutter Consortium analyst Tom Welsh is not very impressed with the progress being made towards workable Web services. While much of the rest of the world nods in approval as successive Web services initiatives are announced, Welsh is one of the few saying, "Err, hang on a minute..."

The first thing Welsh points out is that there is, as yet, not one ratified Web services standard. Plenty of specifications have been submitted to various standards bodies, but even Soap - one of the most fundamental Web services protocols - is not yet a recommendation of the World Wide Web Consortium (W3C). So what we have instead are the usual de facto standards and fragile agreements between vendors. "The industry is engaged in a massive prototyping and feasibility study," he says. "It would be risky to put too much faith in it."

Welsh notes that Web services were initially conceived as suitable for low- or nil-value transactions, so supporting high-value online commerce will demand huge changes. "It's like taking a wheelbarrow and trying to upgrade it into an articulated lorry," he says. One problem is that Web services are built on Web protocols. HTTP traffic is good by virtue of its ubiquity, but it's untrustworthy stuff - it carries heaven knows what from who knows where. Welsh believes Web services traffic should be segregated from simple Internet traffic, so that it can be dealt with properly at the firewall. In other words, we should ditch the Web part of Web services if we want to use it to carry out online business in safety.

There are of course various efforts in progress to make Web services traffic more secure. The most notable is the WS-Security standard being worked on, under the auspices of standards body Oasis, by Microsoft, IBM, Sun, Commerce One, Entrust, Cisco, Iona and others. This effort may be successful in the long term, but Welsh cautions that it will not be easy to retrospectively add security on top of what, he argues, is a particularly unsound foundation.

In the medium term, it seems inevitable that many incautious buyers will fall for the oldest trick in the IT marketing canon. Just about every substantial software product has sprouted Web services support, and it seems likely that many companies will buy into a basically proprietary architecture, lulled into a false sense of openness by a Soapy sheen of standardisation. If the Web services bubble bursts, budgets will be sunk and it will be too late to change.

One of the most interesting points that Welsh makes is to compare and contrast Microsoft and IBM, the two oldest Web services allies and the joint proponents of UDDI, Soap and WSDL. "Microsoft is fantastic at selling to consumers and small businesses, but hopeless with corporates," he notes. "IBM is fantastic at selling to corporates but hopeless with the mass market." Put them together and what have you got?

What you have is the most powerful IT marketing machine known to man - and some great fodder for conspiracy theorists.

Have your say: contact IT Week

More IT Week Comments