I. Meeting Highlights
The Web Services Interoperability (WS-I) organization* held its spring
2005 community meeting March 8-11 in Vancouver, British Columbia. WS-I
is the lowest common denominator organization for Web services. It
attempts to ensure interoperability of Web services standards
(developed by W3C and OASIS) by creating profiles based on those
standards. A representative of the Burton Group stated that over 70
percent of its Fortune 300 clients recognize the value of WS-I
deliverables and are including them in their IT requirements. These
companies include Citibank, Merrill Lynch, Hartford Insurance, Kaiser
Permanante, Verizon, Bell South and Eli Lilly.
*Download this author's report of the Nov 04 WS-I meeting: news.tgc.com/msgget.jsp?mid=298726&xsl=story.xsl
Here are a few highlights of this important WS-I meeting:
- Board of Directors (BoD) is pursuing ISO/IEC JTC1 "Fast Track"
submission of WS-I Basic Profile (BP) 1.1 and Basic Security Profile
(BSP) documents. This would convey "de jure" standards status on the
WS-I Board approved output documents, which is required in some foreign
- BoD is considering ways to make WS-I more visible to
developers, architects, systems integrators and end users of Web
services. These include: use case studies; more sample apps (e.g.,
attachments); tech notes and best practices guidelines; best practices
for specific WS standards (which ones?); interop workshops (who will
define the test scripts?); and new profiles (TBD).
- BP 1.1 will be translated into Japanese (the translated BP 1.0
has been very popular in Japan). Note that BP 1.1 obsoletes BP 1.0.
- W3C is considering a new work item to develop an XML schema
profile. This is because many industry participants complain that
either schema is not specified correctly, or the schema development
tools do not work correctly (two sets of tools may not produce
interoperable code for the same Web service). WS-I is keenly interest
in this activity and a draft charter of a new XML Schema WG has been
generated for BoD review. However, that review is on
hold for three months, pending W3C decision on pursuing this activity.
- Basic Security Profile (BSP) WG (see II. below) completed work on
Security Challenges, Threats and Countermeasures document which was
approved by BoD at this meeting. The WG also progressed the three
documents that collectively comprise the BSP. They are waiting for the
OASIS WS-Security TC to complete work on Kerberos Token standard before
they begin related Kerberos profiling work.
- Requirements WG finalized a Usage Pattern Template, submitted by
Fujitsu Software, for description of WS usage patterns. Previous
templates completed: Business Scenarios, Use Cases and Interoperability
Field Report. IBM submitted a new use case on message routing and
addressing, by illustrating the steps in processing of an invoice using
Web services. This application is quite common in enterprise IT that a
Usage Pattern will be distilled from this use case.
- This author completed review of two previously submitted BT
contributions -- Callback Addressing and Security Policy -- to the
Requirements Catalog. There appear to be three potential WS-I work
areas that arise from these two BT submissions. It remains to be seen
what action WS-I will take regarding these:
To profile and specify detailed requirements for WS-Addressing (as
it progresses through W3C) for the Callback Addressing scenario.
To identify all the security mechanisms and policy attributes in the
three security profiles being developed by the BSP WG for the
Publishing Security Policy scenario. Those could then be expressed as
an add-on to WSDL 1.1 or conveyed via WS Meta Data Exchanges (not yet
submitted to a standards body).
Consider profiling of WS-Policy and WS-Meta Data Exchange for the
Publishing Security Policy scenario. However, neither specification has
been submitted to a standards body, which creates a dilemma for the
II. Deliverables from the WS-I Basic Security Profile (BSP) Working
Deliverables from the WS-I Basic Security Profile (BSP) Working
Group currently include four documents, which can be downloaded free
While all four documents were progressed at this meeting, only the
first (listed below) was approved by the WS-I BoD. The
next three documents form what is often called the Basic Security
Profile, based on the OASIS WS-Security standard. In addition to those,
there is a Kerberos Token document that is still being worked by the
OASIS WS-Security TC. That document will be profiled by the WS-I BSP WG
once it has been approved by OASIS.
Security Challenges, Threats and Countermeasures: This WS-I Board
approved draft document describes Web services security challenges,
threats and countermeasures. It is used to define the requirements for
and scope of the Basic Security Profile.
Basic Security Profile: This WG draft of the Basic Security Profile
provides guidance on the use of WS-Security and the User Name and X.509
security token formats. Specifically, this document includes
specification of the WS-Security message protection mechanism, SSL
Transport Level Security (not included in the OASIS WS-Security
standard), attachment profile, user name and X.509 token profile.
REL Token Profile: This WG draft is the interoperability profile for
the Rights Expression Language (REL) security token that is used with
III. WS-I Showcase: How End Users are Leveraging WS-I Deliverables
SAML Token Profile: This WG draft is the interoperability profile for the SAML security token that is used with WS-Security.
A representative of HP's IT department stated that they had 25
"eProfile" Web services based applications in development that were not
working with one another. That is, until they demanded compliance with
the WS-I BP. The purpose of these applications was to evolve a user
profile from a set of information collected from or about HP's on-line
customers. The profile would be used to provide superior on-line user
experience and enhancements of applications. HP used WSDL faults to
communicate all error messages, as specified in WS-I BP. They found it
was a lot easier and quicker to integrate applications using WS-I Test
Tools. Indeed, testing decreased for new apps, because trouble shooting
Webify is a company that provides software solutions for the health
care and insurance industries. They were able to help Fireman's Fund
Insurance Company reduce cost and improve productivity with a Web
services-based billing and insurance policy application for insurance
agents. This extended the life of their legacy systems, which are
accessed by the insurance agents. The WS-I BP was used to greatly
simplify agent to insurer business transactions. Modular software
components were developed and then bonded together, based on BP 1.0
compliant WS interfaces.
L7 Technologies focuses on secure processing of WS messages and
addresses policy issues. They take the unique view that
interoperability has as much relevance to a one vendor solution as to a
heterogeneous mix of vendors. L7 asserts that a single vendor needs to
avoid proprietary solutions and instead needs to converge on widely
accepted standards and profiles. They take the somewhat unconventional
approach that OASIS WS-Security standard is top heavy and not needed --
it requires a lot of processing power and their users may suffice by
using ONLY SSL Transport Level Security to fulfill their WS Security
needs. Presumably, they are using SSL as specified in the core BSP
draft document, in which they are listed as a co-editor.
The next WS-I Community Meeting will be held June 14-17 in Amsterdam, The Netherlands.
About Alan J. Weissberger
As the founder and Technical Director of Data Communications Technology (DCT),
a technical consulting firm started in March 1983, Alan J. Weissberger
specializes in telecommunications standards and their implementation. His
clients have included network providers (AT&T, NTT, Pacific Bell, US West,
Entel and CTC in Chile, Telkom South Africa, Moroccan PTT, others), equipment
and semiconductor manufacturers, and large end users. In 1995 and 1996 Alan
was the principal architect for the European Commission's multi-service,
multi-country ATM network -- the largest private network in Europe (that
network has now evolved into Gig Ethernet over CWDM). In 2000-01, he was
Ciena's lead ITU-T delegate, contributing to the standardization of the
optical control plane in SG13 and SG15. Alan now represents NEC Corp in
several OASIS TCs dealing with Web Services, while also attending the Global
Grid Forum and the Optical Internetworking Forum (OIF).
Weissberger can be reached via e-mail at email@example.com or
firstname.lastname@example.org. To read his entire biography, please visit