[ISN] IBM, Microsoft Deliver New Security Specs

From: InfoSec News (isnat_private)
Date: Thu Dec 19 2002 - 00:57:25 PST

  • Next message: InfoSec News: "[ISN] Computer crime center opens"

    By Darryl K. Taft
    December 18, 2002 
    Web services giants IBM and Microsoft Corp. Wednesday announced, along
    with BEA Systems Inc., RSA Security Inc., VeriSign Inc. and SAP AG, a
    new set of security and policy specifications based on the Web
    Services Security road map that Microsoft and IBM developed last April
    to help enterprises share information securely.
    The first in the set of specifications includes WS-Trust, which
    defines a framework for managing, setting up and assessing trust
    relationships to enable Web services to securely interoperate, a
    common way to access security services; WS-SecureConversation, which
    defines a framework to set up a secure context for parties that want
    to exchange multiple messages without having to continually
    re-authenticate; and WS-SecurityPolicy, which defines general security
    policies that can be associated with a service, said Karla Norsworthy,
    director of dynamic ebusiness technologies at IBM. IBM, Microsoft, RSA
    and VeriSign authored all three specifications.
    The specifications fall into two categories, the companies said: those
    that build on technical issues in the Microsoft/IBM road map (the
    first three), and another group of three specifications that focus on
    implementing business policies into Web services.
    Scott Collison, director of Web services management at Microsoft, said
    the new specifications are based on accepted standards in the areas of
    the Simple Open Access Protocol (SOAP), security, transactions and
    discovery to provide a framework for implementing business policy and
    security for a broad set of applications. "This is the next wave of
    our delivering specs in security," he said. "We're delivering some
    additional specifications that are part of our execution against an
    overall Web services vision to allow companies to have broadly
    interoperable Web services regardless of the platform their
    application sits on," he said.
    "These are initial versions of the specs, so customers still need to
    give their feedback," said Jason Bloomberg, an analyst with ZapThink
    LLC, based in Cambridge, Mass. "There are no tools that support these
    specs yet, so today's announcement is only one in a series of steps
    that lead to the release of the specs to a standards body."
    The second set of specifications includes WS-Policy, which outlines a
    way for Web services senders and receivers to communicate their
    requirements and capabilities, including the ability to search for and
    discover the information they need to access the service;  
    WS-PolicyAttachments, which provides a standard mechanism for
    attaching requirement and capability statements to a Web service; and
    WS-PolicyAssertions, which describes general policies that can be
    affiliated with a service. BEA, IBM, Microsoft and SAP authored these
    "Policy is important across a broad set of disciplines, including
    security but not exclusive to security," Norsworthy said. "A good
    example is I might want to express policy that tells what human
    language interface a Web service would need to expose to be
    appropriate for particular end user. Or I might want to express policy
    that tells what version of a standard like HIPAA [Health Insurance
    Portability and Accountability Act] that a Web service in the medical
    space needed to conform to in order for me to feel comfortable using
    "The specs are more the concern of people developing software, and we
    implement them in a way that's seamless," Collison said.
    Added Norsworthy: "The end goal is to make the time to implement this
    technology shorter."
    Overall, said Bloomberg, "These specs overlap some of the work that
    the Liberty Alliance has been doing, which raised a red flag for me.  
    SAP, VeriSign and RSA are members of Liberty as well, so you'd think
    the two efforts would be working closely together, but apparently not.  
    The WS-Security party line is that they hope Liberty will support
    these specs, and they're anxious to get feedback from Liberty. Whether
    their lack of early input from Liberty will create a political issue
    remains to be seen, but it is a risk."
    In a statement, Edward Cobb, vice president of architecture and
    standards at BEA, said: "BEA has long supported the goal of secure
    interoperability of Web services through the advancement of the
    WS-Policy standard. This specification promotes a common industry goal
    to help speed the adoption of Web services by delivering secure,
    reliable interoperability guidelines that span platforms, applications
    and programming languages."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:34:51 PST