IBM and Microsoft Annouce Web Service Security Strategy


News: IBM and Microsoft Annouce Web Service Security Strategy

  1. IBM and MS have released a joint white paper that describes a proposed architecture and and security model for addressing security within a Web service environment. It seems that SAML was missing from the proposal. Interestingly, an article was also published last week on ZDNET outlining how IBM and MS own intellectual property rights on many key WS standards - WSDL included.

    Read the whitepaper here:
    Security in a Web Services World: A Proposed Architecture and Roadmap.

    Read IBM, Microsoft plot NET takeover

    My question is this. TSS has had a number of articles showing SAML as a key standard for securing web services. Is the above WS-Security SAML? Doesn't look like it to me. Another curious thing. IBM did this with MS. Isn't IBM on the SAML Oasis committee?

  2. I smell a game of politics that is going on here between MS and IBM.
  3. The WS Security specification that was co-authored by Microsoft, IBM and VeriSign does not seem to preclude the use of SAML for authentication or authorization of Web Services clients.

    The spec instead seems to focus on the securing of the exchange of SOAP messages between Web Services endpoints, and attempts to define a standard way to integrate existing security mechanisms (X.509 certificates, Kerberos tickets) into the equation.

    I view WS Security as a tying together of existing specifications (XML Digital Signature, XML Encryption, XML Key Management, etc.) to specifically address the security issues involved with the consumption of Web Services over the Internet.

    Hope this helps,
    Mike S.