I. Meeting Highlights
The Web Services Interoperability (WS-I) organization* held its spring 2005 community meeting March 8-11 in Vancouver, British Columbia. WS-I is the lowest common denominator organization for Web services. It attempts to ensure interoperability of Web services standards (developed by W3C and OASIS) by creating profiles based on those standards. A representative of the Burton Group stated that over 70 percent of its Fortune 300 clients recognize the value of WS-I deliverables and are including them in their IT requirements. These companies include Citibank, Merrill Lynch, Hartford Insurance, Kaiser Permanante, Verizon, Bell South and Eli Lilly.
*Download this author's report of the Nov 04 WS-I meeting: news.tgc.com/msgget.jsp?mid=298726&xsl=story.xsl.
Here are a few highlights of this important WS-I meeting:
- Board of Directors (BoD) is pursuing ISO/IEC JTC1 “Fast Track” submission of WS-I Basic Profile (BP) 1.1 and Basic Security Profile (BSP) documents. This would convey “de jure” standards status on the WS-I Board approved output documents, which is required in some foreign countries.
- BoD is considering ways to make WS-I more visible to developers, architects, systems integrators and end users of Web services. These include: use case studies; more sample apps (e.g., attachments); tech notes and best practices guidelines; best practices for specific WS standards (which ones?); interop workshops (who will define the test scripts?); and new profiles (TBD).
- BP 1.1 will be translated into Japanese (the translated BP 1.0 has been very popular in Japan). Note that BP 1.1 obsoletes BP 1.0.
- W3C is considering a new work item to develop an XML schema profile. This is because many industry participants complain that either schema is not specified correctly, or the schema development tools do not work correctly (two sets of tools may not produce interoperable code for the same Web service). WS-I is keenly interest in this activity and a draft charter of a new XML Schema WG has been generated for BoD review. However, that review is on hold for three months, pending W3C decision on pursuing this activity.
- Basic Security Profile (BSP) WG (see II. below) completed work on Security Challenges, Threats and Countermeasures document which was approved by BoD at this meeting. The WG also progressed the three documents that collectively comprise the BSP. They are waiting for the OASIS WS-Security TC to complete work on Kerberos Token standard before they begin related Kerberos profiling work.
- Requirements WG finalized a Usage Pattern Template, submitted by Fujitsu Software, for description of WS usage patterns. Previous templates completed: Business Scenarios, Use Cases and Interoperability Field Report. IBM submitted a new use case on message routing and addressing, by illustrating the steps in processing of an invoice using Web services. This application is quite common in enterprise IT that a Usage Pattern will be distilled from this use case.
- This author completed review of two previously submitted BT contributions — Callback Addressing and Security Policy — to the Requirements Catalog. There appear to be three potential WS-I work areas that arise from these two BT submissions. It remains to be seen what action WS-I will take regarding these:
- To profile and specify detailed requirements for WS-Addressing (as it progresses through W3C) for the Callback Addressing scenario.
- To identify all the security mechanisms and policy attributes in the three security profiles being developed by the BSP WG for the Publishing Security Policy scenario. Those could then be expressed as an add-on to WSDL 1.1 or conveyed via WS Meta Data Exchanges (not yet submitted to a standards body).
- Consider profiling of WS-Policy and WS-Meta Data Exchange for the Publishing Security Policy scenario. However, neither specification has been submitted to a standards body, which creates a dilemma for the WS-I BoD.
II. Deliverables from the WS-I Basic Security Profile (BSP) Working Group
Deliverables from the WS-I Basic Security Profile (BSP) Working Group currently include four documents, which can be downloaded free from www.ws-i.org/deliverables/workinggroup.aspx?wg=basicsecurity.
While all four documents were progressed at this meeting, only the first (listed below) was approved by the WS-I BoD. The next three documents form what is often called the Basic Security Profile, based on the OASIS WS-Security standard. In addition to those, there is a Kerberos Token document that is still being worked by the OASIS WS-Security TC. That document will be profiled by the WS-I BSP WG once it has been approved by OASIS.
- Security Challenges, Threats and Countermeasures: This WS-I Board approved draft document describes Web services security challenges, threats and countermeasures. It is used to define the requirements for and scope of the Basic Security Profile.
- Basic Security Profile: This WG draft of the Basic Security Profile provides guidance on the use of WS-Security and the User Name and X.509 security token formats. Specifically, this document includes specification of the WS-Security message protection mechanism, SSL Transport Level Security (not included in the OASIS WS-Security standard), attachment profile, user name and X.509 token profile.
- REL Token Profile: This WG draft is the interoperability profile for the Rights Expression Language (REL) security token that is used with WS-Security.
- SAML Token Profile: This WG draft is the interoperability profile for the SAML security token that is used with WS-Security.
III. WS-I Showcase: How End Users are Leveraging WS-I Deliverables
- A representative of HP's IT department stated that they had 25 “eProfile” Web services based applications in development that were not working with one another. That is, until they demanded compliance with the WS-I BP. The purpose of these applications was to evolve a user profile from a set of information collected from or about HP's on-line customers. The profile would be used to provide superior on-line user experience and enhancements of applications. HP used WSDL faults to communicate all error messages, as specified in WS-I BP. They found it was a lot easier and quicker to integrate applications using WS-I Test Tools. Indeed, testing decreased for new apps, because trouble shooting was easier.
- Webify is a company that provides software solutions for the health care and insurance industries. They were able to help Fireman's Fund Insurance Company reduce cost and improve productivity with a Web services-based billing and insurance policy application for insurance agents. This extended the life of their legacy systems, which are accessed by the insurance agents. The WS-I BP was used to greatly simplify agent to insurer business transactions. Modular software components were developed and then bonded together, based on BP 1.0 compliant WS interfaces.
- L7 Technologies focuses on secure processing of WS messages and addresses policy issues. They take the unique view that interoperability has as much relevance to a one vendor solution as to a heterogeneous mix of vendors. L7 asserts that a single vendor needs to avoid proprietary solutions and instead needs to converge on widely accepted standards and profiles. They take the somewhat unconventional approach that OASIS WS-Security standard is top heavy and not needed — it requires a lot of processing power and their users may suffice by using ONLY SSL Transport Level Security to fulfill their WS Security needs. Presumably, they are using SSL as specified in the core BSP draft document, in which they are listed as a co-editor.
The next WS-I Community Meeting will be held June 14-17 in Amsterdam, The Netherlands.
About Alan J. Weissberger
As the founder and Technical Director of Data Communications Technology (DCT), a technical consulting firm started in March 1983, Alan J. Weissberger specializes in telecommunications standards and their implementation. His clients have included network providers (AT&T, NTT, Pacific Bell, US West, Entel and CTC in Chile, Telkom South Africa, Moroccan PTT, others), equipment and semiconductor manufacturers, and large end users. In 1995 and 1996 Alan was the principal architect for the European Commission's multi-service, multi-country ATM network — the largest private network in Europe (that network has now evolved into Gig Ethernet over CWDM). In 2000-01, he was Ciena's lead ITU-T delegate, contributing to the standardization of the optical control plane in SG13 and SG15. Alan now represents NEC Corp in several OASIS TCs dealing with Web Services, while also attending the Global Grid Forum and the Optical Internetworking Forum (OIF).