News

Microsoft Releases Web Services Security Spec

IBM and VeriSign to join Microsoft in developing specifications.

• By Keith Ward
• April 11, 2002

The partnership is a "roadmap for six specifications that talk about security from end to end," Microsoft vice president for .NET Enterprise Servers Paul Flessner announced at Thursday's TechEd keynote presentation.

The new specification, which the companies are calling WS-Security, "provides standard mechanisms to exchange secure, signed messages in a Web services environment, and provides an important foundation layer that will help developers build more secure and broadly interoperable Web services," according to a Microsoft press release. Currently, there are no agreed-upon rules for Web services security, and many of the industry's heavy hitters, including IBM, Hewlett-Packard, Oracle, Sun and Microsoft are developing and implementing Web services frameworks.

At the heart of the model is an effort to bring together disparate security technologies like Public Key Infrastructure (PKI) and Kerberos for protecting the integrity and confidentiality of messages, "as well as mechanisms for associating security-related claims with the message," according to a joint Microsoft-IBM white paper on the subject, available at http://msdn.microsoft.com/ws-security/.

Another key to WS-Security is its interoperability. It utilizes common Web services standards like XML and SOAP, allowing companies to configure their environments for the appropriate level of security across any platform.

The other proposed specifications include a modular approach to security, broken down into two general categories: the first three—WS-Policy, WS-Trust and WS-Privacy—relate to setting up a secure session and establishing privacy guidelines, while the second group—WS-Secure Conversation, WS-Federation and WS-Authorization—deals with message security, interoperability between different systems and authorization policies.

Web services is key to Microsoft's .NET strategy of connecting disparate systems for data exchange, and ensuring privacy and security is key to the success of .NET. Microsoft recently suffered a blow when the My Services initiative, formerly known as Hailstorm, was killed, partially due to concerns about Microsoft's ability to keep safe and secure data for millions of users in one repository. With .NET being a much bigger, broader and more important program, collaborating with companies like IBM and especially VeriSign, which provides digital certificates verifying the authenticity of information for much of the Internet, Microsoft is attempting to allay fears about how seriously it takes security.

WS-Security has yet to be submitted to a standards body.