IBM, Microsoft and VeriSign Announce New Security Specification to Advance Web Services

WS-Security Specification Is the Cornerstone to Building Secure Web Services; Companies Will Jointly Submit Specification for Standardization

Select a topic or year

REDMOND, Wash., ARMONK, N.Y., & MOUNTAIN VIEW, Calif. - 11 Apr 2002: Microsoft Corp., IBM Corp. and VeriSign Inc. today announced the publication of a new Web services security specification to help organizations build secure, broadly interoperable Web services applications. The three companies jointly developed the new specification, known as WS-Security, and plan to submit it to a standards body.

WS-Security is the foundation for a broader road map and additional set of proposed Web services security capabilities outlined by IBM and Microsoft today to tackle the growing need for consistent support of more secure Web services. The proposed road map, titled "Security in a Web Services World" and authored by Microsoft and IBM, outlines additional Web services security specifications the companies plan to develop along with key customers, industry partners and standards organizations.

Introducing WS-Security
WS-Security supports, integrates and unifies several popular security models, mechanisms and technologies, allowing a variety of systems to interoperate in a platform- and language-neutral manner in a Web services context.

WS-Security defines a standard set of Simple Object Access Protocol (SOAP) extensions, or message headers, that can be used to implement integrity and confidentiality in Web services applications. SOAP is an XML-based industry protocol for accessing Web services in a platform- and language-independent manner. WS-Security provides standard mechanisms to exchange secure, signed messages in a Web services environment, and provides an important foundation layer that will help developers build more secure and broadly interoperable Web services.

"Companies know they can achieve dramatic gains in productivity and cost effectiveness by automating business processes through Web services, but two key challenges stand in the way: interoperability and trust," said Dr. Phillip Hallam-Baker, principal scientist with VeriSign and a co-author of the WS-Security specification. "The industry is making solid inroads on the interoperability front, and the new WS-Security spec is among a series of open security specifications paving the way for widespread adoption of trusted Web services."

Piecing Together Components for Secure Web Services
In addition to the WS-Security specification, IBM and Microsoft also announced they are publishing a Web services security road map, titled "Security in a Web Services World." The document describes an evolutionary approach to security and defines additional, related Web services security capabilities within the framework established by the WS-Security specification that the two companies plan to develop in close collaboration with platform vendors, application developers, network and infrastructure providers, and customers.

Organizations can incorporate these new specifications, as needed, into the different levels of their Web services applications. The other proposed specifications include these:

A modular approach to Web services security is necessary because of the variety of systems that make up today's IT environments. As the use of Web services increases among collaborating organizations using different security approaches, the proposed security and trust model provides a flexible framework in which organizations can interconnect in a trusted way.

This interoperable approach enables both the security technology and its business use to evolve. Accordingly, the road map describes how to support current and future security approaches. Organizations can choose the credential they wish to employ, and the process of adoption and deployment can be incremental.

"Providing the industry and our customers with a solid, open-standards based security model reinforces IBM's technology leadership and commitment to advancing secure Web services," said Arvind Krishna, vice president of security products, Tivoli Software, IBM. "Security is key to building and evolving the trusted infrastructures on which our customers run their businesses, and providing them with the necessary specifications to address end-to-end Web services security is crucial."

"Today's announcement of WS-Security is a major milestone on the road from today's situation, where Web services security is left as an exercise for the individual developer, to a world where we have broadly interoperable standards for Web services security," said Eric Rudder, senior vice president of the Developer and Platform Evangelism Group at Microsoft Corp. "WS-Security is another example of Microsoft's commitment and leadership in driving industry standards for Web services."

WS-Security is the foundation of the proposed Web services security architecture. Microsoft, IBM and VeriSign intend to submit the WS-Security specification to an appropriate standards body and anticipate subsequent implementations from multiple vendors. The combined Web services security model, specifications and standards process will enable businesses to confidently develop secure, interoperable Web services and to quickly and cost-effectively increase the security of existing Web services applications.

The WS-Security specification and the "Security in a Web Services World" road map are available on the following sites: IBM developerWorks (, Microsoft® MSDN® ( and VeriSign (

Related XML feeds
Topics XML feeds
Business partners
Business partner information including strategic alliances
Services and solutions
Information Management, Lotus, Tivoli, Rational, WebSphere, Open standards, open source