Web services security spec moves toward approval

WS-Security, a widely supported proposal for securing Web services, could become an official OASIS standard by March.

OASIS in mid-February anticipates a full-membership vote on the WS-Security specification, which is intended to provide critical security for Web services. If approved during a 30-day voting period, WS-Security becomes an OASIS standard.

The OASIS Web Services Security Technical Committee earlier this month approved a set of documents pertaining to the specification, which is officially referred to as Web Services Security: SOAP Message Security 1.0. The specification, which was subjected to a public review as well, describes enhancements to SOAP messaging to provide for message integrity and confidentiality, according to OASIS.

Related documents also approved included Username Token Profile, for using WS-Security for user names and passwords, and X.509 Certificate Token Profile, for using WS-Security to sign and encrypt messages via X.509 digital certificates, said Kelvin Lawrence, co-chairman of the OASIS committee and an IBM Distinguished Engineer. Also approved were documents pertaining to XML Schema and XML extensions pertinent to WS-Security.

"This is a major milestone, but it's not the final milestone," Lawrence said of the committee's actions.

Implementations already exist for WS-Security, Lawrence acknowledged. IBM uses WS-Security in its WebSphere platform and will update its implementation to conform to the final specification when approved, he said.

WS-Security was first published by IBM, Microsoft and VeriSign in April 2002.