Web services security spec underway

A long-awaited web services security specification is to be submitted to the Organisation for the Advancement of Structured Information Standards (Oasis) authority.

The WS-Security proposal defines a set of simple object access protocol (Soap) message header extensions that implement integrity and confidentiality.

The draft was developed by leading web services proponents IBM and Microsoft, along with security company Verisign. Moving it to Oasis is the first step in what may be a long evolution leading to its final release.

A solid standards framework is considered key to web services moving beyond internal and trusted third-party use. But there are different security needs dependent on the service being offered, how it will be consumed, and even the equipment being used.

The challenge is how to integrate and unify multiple security models and technologies without making the process too complicated.

"There's a tightrope that web services proponents have to walk," said Gary Barnett, principal consultant at analyst Ovum. "One of its principal virtues is that it is simple to use. They could end up making it so complex that they scare people off."

Many companies already plan to participate in the Oasis development work. These include: Intel, Novell, Cisco, Sun Microsystems, BEA, Baltimore, Entrust, RSA Security, Netegrity, SAP, Documentum, Iona and Oblix.

Input from such a high number of companies could lead to a long gestation period although, in the long term, this is likely to benefit the industry.

"The challenge for the web services guys is that the industry has never properly advanced internet security. But it could be that they will coalesce around the new security model," said Barnett.

Evidence of the high adoption of web services despite the lack of security standards came from last month's Borland Conference.

In a survey of 1,000 attendees from companies of all sizes in a range of industries, about 80 per cent were either using or planning to use web services very soon. Only 19 per cent said that security is a major barrier to their using web services.