OASIS Members Form Committee to Advance Standards for Web Services Secure Exchange

Business Wire, Oct 26, 2005

BOSTON -- Members of the OASIS international standards consortium announced plans to define extensions to the WS-Security OASIS Standard that will enable the trusted exchange of multiple SOAP messages and will define security policies that govern the formats and tokens of those messages. The new OASIS Web Services Secure Exchange (WS-SX) Technical Committee brings together users and vendors in an open process to refine and finalize a set of specifications based on three initial contributions, WS-SecureConversation, WS-SecurityPolicy and WS-Trust. Other contributions and changes to these input documents will be accepted for consideration without prejudice or restriction and evaluated based on technical merit.

Actional, Adobe, Amberpoint, BMC Software, BEA Systems, Computer Associates, DataPower, Forum Systems, HP, IBM, Infravio, IONA, Microsoft, Nokia, Novell, Oracle, Reactivity, Ricoh, Sarvega, SAP, SOA Software, Sonic Software, Systinet, TIBCO, VeriSign, webMethods, and others refine WS-Conversation, WS-SecurityPolicy, and WS-Trust.

"In order to meet the growing demands of secure Web service messaging, we need facilities beyond what is provided in the WS-Security OASIS Standard," explained Kelvin Lawrence of IBM, proposed co-chair of the OASIS WS-SX Technical Committee. "WS-Security describes a base mechanism for securing SOAP messages. With WS-SX, we'll concentrate on trust brokering, multi-message exchanges, and policies that describe how to secure message exchanges with a Web service."

With input from the entire community, the OASIS WS-SX Technical Committee will advance a set of modular specifications that standardize the concepts, WSDL documents, and XML Schema renderings for trusted brokering of SOAP message exchanges, shared security contexts, and security policies. WS-SecurityPolicy defines a general set of security policies that can be associated with a Web service. WS-Trust provides a description for managing, establishing and assessing trust relationships between parties exchanging information. WS-SecureConversation serves as a building block to create a secure context for organizations to exchange multiple messages without constantly reauthenticating.

"The WS-Security OASIS Standard describes how to use security tokens to obtain message integrity, confidentiality, and authentication of the message sender, but in order to use these mechanisms, tokens must be obtained and trust brokered. Furthermore, a mechanism is needed to describe security exchange patterns," noted Chris Kaler of Microsoft, proposed co-chair of the OASIS WS-SX Technical Committee. "WS-Trust and WS-SecurityPolicy include additional primitives to enable the obtaining of tokens and brokering of trust relationships as well as expressing supported security exchange patterns as policy expressions associated with SOAP endpoints."

By advancing the specifications within OASIS, WS-SX developers are able to work in close proximity to related projects also underway at the consortium, including the OASIS Web Services Reliable Exchange (WS-RX), Web Services Transaction (WS-TX), and Web Services Security Committees. Participants in the OASIS WS-SX Committee intend for their work to be readily composable with these other specifications.

"The WS-Security OASIS Standard was designed to be a highly extensible method," observed James Bryce Clark, director of standards development at OASIS. "WS-SX will provide further extensions to enable functions such as policy expressions and long-running conversations. These will augment the X.509, username, SAML, and other token profiles already available for WS-Security."

The OASIS WS-SX Technical Committee will operate under Royalty Free on RAND Terms, as defined by the OASIS Intellectual Property Rights Policy. The Committee's first meeting will be held 7-8 December 2005, and participation remains open to all companies, non-profit groups, and individuals. As with all OASIS projects, archives of the Committee's work will be accessible to both members and non-members, and OASIS will host an open mail list for public comment.

Support for WS-SX

Actional

"Ensuring that Web services can be used for mission critical solutions in the enterprise is vital," said Dan Foody, CTO of Actional. "Many mission critical applications require transactional integrity, and with the advent of WS-TX, these applications can be designed and built to use Web services -- all while being interoperable across vendors."

Computer Associates

"CA is pleased to participate in the OASIS WS-SX Technical Committee. As one of the early contributors to the specifications that lead to the creation of this committee, CA recognizes the need for the standardization of trust between federated business partners and plans to implement those standards in CA's IAM products as they become available," said Bill Bartow, senior vice president of eTrust Identity and Access Management at CA.

Forum Systems

"The OASIS WS-SX Technical Committee represents a significant step forward in creating a composable Web services architecture," said Mamoon Yunus, CTO of Forum Systems. "WS-SecureConversation, WS-SecurityPolicy, and WS-Trust help establish the necessary security context for exchanging multiple messages, resolving security token incompatibility, and defining interoperable security policy expression. With WS-SX, security underpinnings necessary for enterprise-class SOAs are closer to realization."