WS-I Profile Eases Web Services Security

Yet another standard may seem like the last thing the Web services world needs. However, the WS-I Basic Security Profile isn't a complete specification: It's a set of best practices for interoperability among Web services that use the many existing security standards from OASIS, the IETF and the W3C. The WS-I is essentially trying to do for Web services what the Wi-Fi Alliance did for wireless networks, helping the industry agree on which parts of the other standards to use in a real-world implementation. With major vendors already demonstrating the BSP, it is clearly going to be adopted. However, vendors can still extend it in proprietary ways, and some interoperability work is the responsibility of users. A security policy is necessarily outside the scope of a standard, so at several places the Profile refers to out-of-band agreements. These cover issues such as who to trust and whether to embed encrypted data within XML documents using WS-Security or just encrypt a complete session over TLS. Andy Dornan NWC Technology Editor

This week the Web Services Interoperability Organization (WS-I) published a set of guidelines outlining how developers can enable Web services interoperate with each other in a secure fashion.

The WS-1 Basic Security Profile (BSP) 1.0 was ratified after five vendor members--IBM, Microsoft, Novell, Oracle, and SAP--demonstrated interoperability.