Pointer to article:
These critical WS-* security specifications have been in draft stage for so long that it’s easy to forget that they’re not ratified de jure standards.
All of them are important for full-fledged identity and security specifications: the ones being submitted to OASIS (WS-Trust, WS-SecureConversation and WS-SecurityPolicy) and the ones yet to be submitted (WS-Federation and WS-Policy). I anticipate that all of these--except WS-Federation--will have clear sailing through the OASIS standardization process. And that’s because all of them—except WS-Federation—have the “legs”: well-wrought specifications, considerable industry support, and no direct rivals. WS-Federation is a good specification—don’t get me wrong. But it largely competes against well-entrenched rivals—SAML 1.x/2.0 and Liberty ID-FF 1.x/ID-WSF 1.x. And WS-Federation only has a handful of firm (albeit powerful) supporters—principally Microsoft and IBM. It’s quite likely that OASIS—once Microsoft/IBM submit the spec—will be folded into the next major version of SAML (beyond 2.0).
Getting standards ratified by OASIS or whoever is only half the game, where Web services/SOA security is concerned. Ratification is only one step on the roadmap to maturity of these standards. Before we can truly consider identity/security federation a mature, full-feature, mainstream approach to distributed security, the WS-* stack needs to jump the following hurdles:
• OASIS ratification: Dominant standards need to be ratified by OASIS in all of the principal identity/security functional service layers. Clearly, as the article states, that process will still take 2-3 years, at minimum, to complete. So we’re still talking 2008, at the earliest, before a full set of industry-consensus WS-* identity/security standards is ratified.
• Vendor implementation: Vendors don’t always implement OASIS- or whoever-developed standards at the same rate. Considering the wide range of WS-* identity/security standards and the wide range of vendors that will need to implement some or all of them to enable full-fledged federation, it would be quite surprising if the core group of “everybody implements ‘em” standards expands much beyond today’s status quo—WS-Security and SAML—by the end of this decade.
• Implementation profiling: And vendors, even when they say they implement the same standards, often implement them in very different ways, with the obvious impact on interoperability. The Web Services Interoperability (WS-I) Organization is the principal implementation profiling group in the Web services arena. So far, the only security standard that it has profiled is WS-Security (in addition to the core WSDL, SOAP, and UDDI standards). In profiling a standard, WS-I is sending a signal to industry that the profiled standard is mature and widely adopted, hence critically in need of a common implementation framework. Does anybody imagine that WS-I will begin to consider profiling the other WS-* identity/security standards/specs--WS-Trust, WS-SecureConversation WS-SecurityPolicy, WS-Federation and WS-Policy—any time before the end of the decade? They should focus first on SAML 1.1, which is definitely mainstream and badly in need of WS-I profiling. Also, XACML and SPML should be profiled soon, based on the fact that they’ve already been ratified and are being adopted widely.
So, to sum up, identity/security federation won’t truly mature as a full-fledged approach until these milestones—ratification, implementation, and profiling—have been crossed for the core WS-* standards and specifications in the principal functional layers. And that won’t happen till 2010, at the very earliest. More likely, 2011 or 2012.
Of course, enterprises can and should continue to deploy identity/security federation environments before the standards picture shakes out completely. The business benefits from federation are undeniable, and the current products/standards are more than sufficient for lots of federation scenarios.
But submitting a specification to a standards group doesn’t make that specification mature. Plenty of specifications die in committee. Or, if they’re approved/ratified, die in the marketplace. Or are effectively abandoned and ignored by their creators.
So curb your enthusiasm for these WS-* identity/security specs till we see how the marketplace shakes it all out.