|
IBM Neutral on Passport vs. Liberty Security Efforts for Now
by Kristin Palitza
IBM will not take a stance on the application security
efforts of Microsoft's Passport technology and Sun Microsystems' Liberty Alliance Project--at least for the
moment. IBM says it will wait until one or the other matures. It will take at least another few months until
Passport and Liberty are far enough evolved for IBM to decide which one it wants to go with, said Arvind
Krishna, vice president of security products for IBM's Tivoli division, at the company's Web Services Day
last week.
Krishna further explained that IBM might as well opt to support both efforts. "We don't like to take sides. It
doesn't have to be the one or the other," Krishna said.
The Liberty Alliance is a group Sun established
together with dozens of partners from the high-tech, financial, automotive, and travel industries to create an
interoperable standard for network identity. Charter members include Bank of America, i2
Technologies, General Motors, RSA Security, Entrust Technologies, American Airlines, and VeriSign, among others. Liberty competes with the Passport
authentication technology, which is part of Microsoft's .NET initiative. Although both groups persistently
talk about eventual interoperability between Passport and Liberty technologies, there are currently no signs
of collaboration.
Both efforts are lacking in core criteria that would be necessary to gain IBM's full support, Krishna
explained. The Liberty Alliance only recently made public what security technologies it will subscribe to
(Liberty says it plans to release its first specification this summer), whereas Passport is not an open
standard but Microsoft's proprietary tool. Passport will have to become part of the federated identities
endeavor for IBM to consider supporting it, Krishna said. Through federated identities, online customers
have a mechanism for forwarding trusted identity information when logging onto different Web sites that
would normally require multiple IDs.
"Microsoft is under a tremendous amount of pressure. They have got to be standards-based to do mission-
critical work, because the world is heterogeneous," said Robert Sutor, IBM director of e-business standards
strategy. He stressed the fact that every technology vendor has to make sure its products can interoperate
with other products to play a leading role in the IT market. "Everybody is under the same type of pressure--
no matter if its Microsoft, Oracle, Sun, or IBM," Sutor said.
Although IBM claims to be neutral on Passport versus Liberty, it seems to slightly favor the Microsoft
team. IBM is already said to be playing a role in Microsoft Passport announcements later this year, but it is
not a member of Liberty. "We are moving forward with pragmatism. Liberty is just one corner of what is
happening regarding Web services security," IBM said. IBM recently strengthened its ties with Redmond,
Washington, based Microsoft when the two giants jointly founded the
Web Services Interoperability Organization,
in early February, to promote Web services
interoperability across all systems. IBM decided to cofound WS-I because "Web services standards and
technologies enable interoperability, but they don't guarantee it," said Sutor. WS-I aims to deliver profiles,
best practices, scenarios, as well as software and materials testing for Web services interoperability. The
group started on February 9 with nine founders and only one month later it has received 450 inquiries from
those interested in joining, Sutor said.
While waiting for Passport and Liberty to progress, IBM is investing in its own security standards
development. It is working on prototypes of its alphaWorks site, where developers can download emerging
alpha-code technologies at a very early development stage. IBM currently has three Web services-related
security protocols on its site, including XML Encryption Syntax, XML Digital Signature, and XML Access
Control. Technologies that appear on alphaWorks are usually part of the next Tivoli release, IBM's security
management products, Krishna said. It generally takes between six and 12 months for an alpha version to
become a product.
How to secure Web services is the biggest issue for developers right now. They spent a long time figuring
out how to connect Web services and eventually created the SOAP, WSDL, UDDI, and XML schema.
They are just in the beginning of the second phase of Web services development, creating tools for security
and reliability. Some efforts are under way, including Security Assertion Markup Language, eXtensible
Access Control Markup Language, XML digital signatures, XML encryption, and HTTP-R. Afterward,
developers will have to tackle thresholds, such as Web services provisioning, transactions, workflow, and
systems management. Web services technology is still in an early stage.
Krishna named five layers of Web services security that IBM is working on in some form: authentication
and identity; authorization; confidentiality; integrity; and non-repudiation. To guarantee confidentiality,
IBM and Microsoft submitted a SOAP security standard to the World Wide Web Consortium, for example. IBM also partnered last month
with security-software developer VeriSign to provide managed public key infrastructure services and to
promote the Security Assertion Markup Language and the XML Key Management Specification, which is
aimed at validating certificates before signing. IBM plans to use SAML and XKMS within its Tivoli Policy
Director.
Another major challenge will be to scale Web services security mechanisms, like authorization, for
instance, Krishna said. Companies will have to publish policies for each Web service they provide, but
since all Web services will be interoperable, Web services policies will have to be reconciled--a difficult
and arduous task.
|
