IBM, Microsoft and Liberty: together at last
In Software We Trust
A Sun Microsystems Inc-backed initiative on secure network identity has taken its first steps towards supporting a specification from Microsoft Corp and IBM,Gavin Clarke writes
The Liberty Alliance Project this month had a presentation from VeriSign Inc, a co-author of WS-Security with Microsoft and IBM, with a view to including the XML-based specification in its own planned specifications.
The move signals an further easing of tensions between Palo Alto, California-based Sun and the industry-backed Liberty, and IBM and Microsoft, both absent from Liberty and pursuing separate security policies.
Liberty's interest comes after Sun agreed to endorse WS-Security's submission to the Organization for Advancement of Structured Information Standards (OASIS) last week.
That decision followed months of hostility between the vendors. Sun was apparently excluded from the formation of the Web Services Interoperability (WS-I) organization, which was backed by IBM and Microsoft.
Sun formed Liberty as Redmond, Washington-based Microsoft announced plans for a federated Passport. Prior to VeriSign's Liberty presentation this month, talks had taken place between Microsoft and Liberty members who were concerned both camps would develop specifications minus interoperability.
Bob Sutor, IBM's director of e-business standards, told ComputerWire he hoped Liberty would adopt WS-Security in its own specifications. A first set of Liberty specifications for a federated network single sign-on are due next month.
"We strongly hope Liberty will adopt WS-Security. The hope is that in time, the threads will come together to get a single standard," Sutor said.
A Liberty spokesperson said while members had received a presentation, an "official" analysis by a technical committee has not yet begun. "The Alliance will look at any open standards based technology for applicability within future versions of the Liberty Alliance specifications," the spokesperson said.
Sutor said last week's submission of WS-Security to OASIS could ensure other industry initiatives, such as Security Assertion Markup Language (SAML), also adopt elements of the specification. This would ensure SAML's XML-based security assertions work with WS-Security.
WS-Security provides a framework for different security assertions and certificates, such as SAML, Kerberos, 501 certificates and PKI. SAML has been developed at Oasis by 12 vendors including Baltimore Technologies Plc, RSA Security Inc and Novell Inc. Authors have developed a version that works with Simple Object Access Protocol (SOAP) and are already adapting this to work with WS-Security. The first public demonstration of SAML 1.0 is expected at the Catalyst Conference in San Francisco, California, on July 15.
Eve Maler, co-ordinating editor of the SAML specification, supported inclusion of WS-Security. "WS-Security has the potential for raising the security of web services security while SAML provides the guts. SAML is just one of the things WS-Security could wrap around it," Maler said.
One advantage of submitting WS-Security to Oasis will be the ability to flesh-out the basic specification. Sutor believes the existing specification is currently too generic in the way it integrates with assertions.
WS-Security is the first in a number of WS- specifications covering policy and trust, among other areas, proposed by IBM and Microsoft. No date is yet set for their submission to an independent standards body, although Sutor said policy level specifications would likely be next with specifications for federation following.