REDMOND, Wash., ARMONK, N.Y., and MOUNTAIN VIEW, Calif., April 11, 2002 — Microsoft Corp., IBM Corp. and VeriSign Inc. today announced the publication of a new Web services security specification to help organizations build secure, broadly interoperable Web services applications. The three companies jointly developed the new specification, known as WS-Security, and plan to submit it to a standards body.
WS-Security is the foundation for a broader road map and additional set of proposed Web services security capabilities outlined by IBM and Microsoft today to tackle the growing need for consistent support of more secure Web services. The proposed road map, titled “Security in a Web Services World” and authored by Microsoft and IBM, outlines additional Web services security specifications the companies plan to develop along with key customers, industry partners and standards organizations.
WS-Security supports, integrates and unifies several popular security models, mechanisms and technologies, allowing a variety of systems to interoperate in a platform- and language-neutral manner in a Web services context.
WS-Security defines a standard set of Simple Object Access Protocol (SOAP) extensions, or message headers, that can be used to implement integrity and confidentiality in Web services applications. SOAP is an XML-based industry protocol for accessing Web services in a platform- and language-independent manner. WS-Security provides standard mechanisms to exchange secure, signed messages in a Web services environment, and provides an important foundation layer that will help developers build more secure and broadly interoperable Web services.
“Companies know they can achieve dramatic gains in productivity and cost effectiveness by automating business processes through Web services, but two key challenges stand in the way: interoperability and trust,” said Dr. Phillip Hallam-Baker, principal scientist with VeriSign and a co-author of the WS-Security specification. “The industry is making solid inroads on the interoperability front, and the new WS-Security spec is among a series of open security specifications paving the way for widespread adoption of trusted Web services.”
Piecing Together Components for Secure Web Services
In addition to the WS-Security specification, IBM and Microsoft also announced they are publishing a Web services security road map, “Security in a Web Services World.” The document describes an evolutionary approach to security and defines additional, related Web services security capabilities within the framework established by the WS-Security specification that the two companies plan to develop in close collaboration with platform vendors, application developers, network and infrastructure providers, and customers.
Organizations can incorporate these new specifications, as needed, into the different levels of their Web services applications. The other proposed specifications include these:
WS-Policy, WS-Trust and
WS-Privacy. WS-Policy will define how to express the capabilities and constraints of security policies; WS-Trust will describe the model for establishing both direct and brokered trust relationships (including third parties and intermediaries); and WS-Privacy will define how Web services state and implement privacy practices.
WS-Secure Conversation, WS-Federation
WS-Authorization. WS-Secure Conversation will describe how to manage and authenticate message exchanges between parties, including security context exchange and establishing and deriving session keys; WS-Federation will describe how to manage and broker trust relationships in a heterogeneous federated environment, including support for federated identities; and WS-Authorization will define how Web services manage authorization data and policies.
A modular approach to Web services security is necessary because of the variety of systems that make up today’s IT environments. As the use of Web services increases among collaborating organizations using different security approaches, the proposed security and trust model provides a flexible framework in which organizations can interconnect in a trusted way.
This interoperable approach enables both the security technology and its business use to evolve. Accordingly, the road map describes how to support current and future security approaches. Organizations can choose the credential they wish to employ, and the process of adoption and deployment can be incremental.
“Providing the industry and our customers with a solid, open-standards-based security model reinforces IBM’s technology leadership and commitment to advancing secure Web services,” said Arvind Krishna, vice president of security products, Tivoli Software, IBM. “Security is key to building and evolving the trusted infrastructures on which our customers run their businesses, and providing them with the necessary specifications to address end-to-end Web services security is crucial.”
“Today’s announcement of WS-Security is a major milestone on the road from today’s situation, where Web services security is left as an exercise for the individual developer, to a world where we have broadly interoperable standards for Web services security,” said Eric Rudder, senior vice president of the Developer and Platform Evangelism Group at Microsoft Corp. “WS-Security is another example of Microsoft’s commitment and leadership in driving industry standards for Web services.”
WS-Security is the foundation of the proposed Web services security architecture. Microsoft, IBM and VeriSign intend to submit the WS-Security specification to an appropriate standards body and anticipate subsequent implementations from multiple vendors. The combined Web services security model, specifications and standards process will enable businesses to confidently develop secure, interoperable Web services and to quickly and cost-effectively increase the security of existing Web services applications.
The WS-Security specification and the “Security in a Web Services World” road map are available on the following sites: IBM developerWorks ( http://www-106.ibm.com/developerworks/library/ws-secure/ ), Microsoft® MSDN®
( http://msdn.microsoft.com/ws-security/ ) and VeriSign ( http://www.verisign.com/wss/ ).
VeriSign Inc. (Nasdaq: “VRSN”) is the leading provider of digital trust services that enable everyone, everywhere to engage in commerce and communications with confidence. VeriSign’s digital trust services create a trusted environment through four core offerings — Web presence services, security services, payment services and telecommunications services — powered by a global infrastructure that manages more than 5 billion network connections and transactions a day. Additional news and information about the company is available at http://www.verisign.com/.
IBM is the world’s largest information technology company, with 80 years of leadership in helping businesses innovate. IBM software offers the widest range of infrastructure software for all types of computing platforms, allowing customers to take full advantage of the new era of e-business. The fastest way to get more information about IBM software is through the IBM home page at http://www.ibm.com/software/.
Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and Internet technologies for personal and business computing. The company offers a wide range of products and services designed to empower people through great software — any time, any place and on any device.
Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These statements involve risks and uncertainties that could cause VeriSign’s actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others: VeriSign’s limited operating history under its current business structure; the risk that VeriSign and its acquired businesses will not be integrated successfully and unanticipated costs of such integration; uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results; failure of the combined company to retain and hire key executives, technical personnel and other employees; failure of the combined company to manage its growth and the difficulty of successfully managing a larger, more geographically dispersed organization; failure of the combined company to successfully manage relationships with customers, suppliers and strategic customers; network outages, network capacity constraints or security breaches; failure of the combined company’s customers to accept new services or to continue using the products and services of the combined company; and competition in the various markets serviced by the combined company. More information about potential factors that could affect the company’s business and financial results is included in VeriSign’s filings with the Securities and Exchange Commission, especially in the company’s Annual Report on Form 10-K for the year ended Dec. 31, 2001.
Microsoft and MSDN are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this press release.
VeriSign is a registered trademark of VeriSign Inc.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass/ on Microsoft’s corporate information pages. Web links, telephone numbers and titles were correct at time of publication, but may since have changed. Journalists and analysts may contact Microsoft’s Rapid Response Team for additional assistance.