© OASIS 2003 The Critical Role of Web Services Standards in Vertical Industry Next Generations Asia PKI Forum Taipei, 14 November 2003 Karl Best, VP OASIS

© OASIS 2003

The Critical Role of Web Services Standards in Vertical Industry Next

Generations

Asia PKI ForumAsia PKI ForumTaipei, 14 November 2003Taipei, 14 November 2003

Karl Best, VP OASISKarl Best, VP OASIS

© OASIS 2003

oasis-open.orgoasis-open.org

Who is OASISWhat are Web Services?What is required for web services to

be successfulChallenges/Issues for web servicesWhat is OASIS doing about web

services?

Agenda

© OASIS 2003

Who is OASIS?

© OASIS 2003

oasis-open.orgoasis-open.orgOverview

OASIS is an international consortium dedicated to developing and promoting the adoption of e-business specifications

Member-elected Board of Directors and Technical Advisory Board; member-driven standards process

Members of OASIS are providers, users and specialists of standards-based technologies and include organizations, individuals, industry groups, and government agencies.

International, not-for-profit, open, independent Successful through industry-wide collaboration

© OASIS 2003

oasis-open.orgoasis-open.orgOASIS technical work

The OASIS technical agenda is set by our members; bottom-up approach

Technical committees formed by the proposal of our members

Each Technical Committee sets its own scope, schedule, and deliverables

More than 60 Technical Committees in a variety of topic areas E-business Security Web services Public sector

© OASIS 2003

What Are Web Services?

© OASIS 2003

oasis-open.orgoasis-open.orgWhat are Web Services?

Before Web Services, web-based e-Business was: Browsing of linked documents Manually initiated transactions & purchases Downloading files All initiated manually via a Web browser

Web Services is a model for using the Web to: Automatically initiate processes via the Web using programs Method for describing, publishing, promoting, registering, &

initiating processes dynamically in a distributed environment New ways of using the web, including intelligent agents,

marketplaces & auctions And… Not necessarily using a Web browser!

Actually, the Web is not required How about "Net Services?"

All done using XML standards

© OASIS 2003

oasis-open.orgoasis-open.orgA Web Services Scenario

Travel Agency Travel Network Hotel

Airline

Car RentalAgencyCredit Card

Network

Bank

Slide from Eve Maler, Sun Microsystems

Check availability, then reserve

Validate and authorize card

Collect itinerary data



Aggregate data; request

reservation

Request credit card

authorization

Route request to member bank

Request reservation

© OASIS 2003

oasis-open.orgoasis-open.orgWeb Services Terminology

Web Services-Interoperability (www.ws-i.org) defines “Basic Web Services” as applications built with: SOAP WSDL UDDI XML Schema

© OASIS 2003


Web Services Terminology (cont.)

W3C Web Services Architecture WG definition:

“A Web service is a software application identified by a URI, whose interfaces and bindings are capable of being defined, described and discovered as XML artifacts. A Web service supports direct interactions with other software agents using XML based messages via internet-based protocols.”

"Our definition of the term ‘Web Services’ does not presuppose the use of SOAP as a packaging format or a processing model. Nor does it presuppose the use of WSDL as a service description language....”

© W3C 2002

© OASIS 2003

oasis-open.orgoasis-open.orgSo, What is a Web Service?

In its simplest form, application to application requests and responses over the web stack SSL HTTP/SMTP/... XML SOAP UDDI

RegistryRPC and Business Messagingall loosely coupled...

© OASIS 2003


Web Services Terminology (cont)

OASIS sees “web services like” approaches to building e-business platforms A continuum from “simple” to

“complex”, increasing in robustness, adoption, volume

e.g. ebXML can be considered as “complex web services”

© OASIS 2003

oasis-open.orgoasis-open.orgComplexity of Web Services

Simple No side effects Non-transactional Context free Session-less, no

roles Minimal security Call-response

model Point-to-point Not developmentally

scalable

Complex, e-Business Impacts other steps Transactional Context sensitive

conversions, ordering of steps

Session based, personalized

Exactly once semantics Sophisticated security Messaging based Scalable

© OASIS 2003

What is Required for Web Services to be Successful?

© OASIS 2003


Complete Picture

Success for Web Services requires standardization of a complete set of specifications, including e.g. Security

© OASIS 2003


What Makes Web Services Possible?

Reliable & Transparent Interconnectivity Web Protocols

Structured Information XML Schemas & validation

Application Interface Standards UDDI, WSDL, SOAP

Consistent Definitions Profiles, Test Suites & Scenarios

Business Process Interface Standards ebXML, BTP, WSBPEL, etc.

Security / Infrastructure Standards SAML, XACML, etc.

© OASIS 2003


Web Services Requires Security

Travel Agency Travel Network Hotel

Airline

Car RentalAgencyCredit Card

Network

Bank

Slide from Eve Maler, Sun Microsystems

Encrypt

Sign

Encrypt traveler data

EncryptSign

EncryptSign

TrustRelationship

TrustRelationship

TrustRelationship

TrustRelationship

© OASIS 2003


Web Services Requires Security

“Without security, web services are dead on

arrival.” -- Phil Hallam-Baker, Verisign

© OASIS 2003


Security Requirements for Web Services

Authentication: Participants in a message exchange recognize each other and the creators of the content

Authorization: Actions on resources are checked against permissions

Auditing: Participants have a record of what happened

Integrity: Message content wasn’t altered inappropriately during transit

© OASIS 2003


Security Requirements for Web Services (cont.)

Confidentiality: Content is not visible to non-authorized parties

Non-repudiation: A message sender can’t refute the action

Trust: Participants have to agree to work together

© OASIS 2003


Complete Picture (2)

Success for Web Services requires involvement of broad spectrum of vendors, users and implementors, verticals, government in the development of specifications

© OASIS 2003


Broad Participation

Global participation required, including from Asia Asia PKI Forum is leader in secure identity, a topic

important to the success of web services

Government agencies can help drive development and adoption of standards through open standards processes Government-sponsored research and pilot projects (e.g.

Singapore IDA starting the OASIS FWSI TC; Hong Kong CECID development of open source ebXML software)

Need input from users and implementors from vertical industries

© OASIS 2003


Do’s and Don’ts of Web Services

Do: Participate in standards committees (W3C, OASIS,

WS-I) by offering real-world scenarios that can be used as test cases for ensuring reliable, secure, and high-performance Web services.

Participate in semantic committees (such as RosettaNet, ebXML, cXML and others) that are working on the descriptions of business documents for use in Web services.

Don’t: Wait for vendors to define the market for you; voice

your issues through the standards committees.

(Source: AMR Research, quoted in ZDNet 29 Oct 2003)

© OASIS 2003

Challenges/Issues for Web Services

© OASIS 2003


Fundamental Issues to be Addressed

A common framework for Web service interactions based on open standards must occur.

An agreed set of vocabularies and interactions for specific industries or common functions must be adopted.

© OASIS 2003


Greatest Concern Preventing Adoption of Web services

“There's a sordid history in the technology world of everybody trying to get a little leverage over somebody else by developing proprietary extensions or vendor-specific add-ons to the core technology. In general, those have been bad, because they don't end up being sustainable over time and that costs companies like us a lot of money.”

CIO of a Fortune 100 corporation

© OASIS 2003


Issues Impacting Web Services for the Global Business Market

Advancing WS specifications through an open standards process Core specifications (SOAP, WSDL) at W3C Registry specifications (UDDI, ebXML Registry) at OASIS Infrastructure specifications (security, management,

business process, etc.) at OASIS Coordinating and demonstrating related infrastructure

standards Adapting industry business vocabularies and business

scenarios to WS framework

© OASIS 2003


Formula for Sustainable StandardsM

arke

t Ado

ptio

n

Open Standardization

Traction

SanctionProprietary JCV Consortia SDO

SGMLISO

XMLW3C

SOAP v1.1 SOAP v1.2W3C

UDDI v2,3UDDI.org

WSDL v1.2W3C

ebMSG v2OASIS

WSDL v1.1

eb Reg v2OASISWS-S v1.0

BPEL4WS WS-BPELOASIS

WS-SOASISWS--*

? UDDI v2,3OASIS

© OASIS 2003


Why Are Software Standards Important?

CompatibilityCompatibility

ExtensibilityExtensibility

PredictabilityPredictability

InteroperabilityInteroperability

Leverage Existing SkillsLeverage Existing Skills

Rapid DevelopmentRapid Development

© OASIS 2003


Why Do Vendors Comply?

Deliver customer value Faster customization Easier integration with other customer

applications

Secure broader adoption of technology More developers means broader deployment More companies can easily build applications

Gain competitive edge Leadership role in the formulation of standards Larger developer community grows adoption

© OASIS 2003


What Does It Take for Software Vendors?

Active participation in standards bodies

Drive standards development to promote industry interoperability and adoption

Analysis of standards in software development

Balance of innovation with standards support

Focus on compliance and interoperability testing

© OASIS 2003


Why Don’t Vendors Always Support Standards?

Too easy to “do your own thing” Quickness to delivery, shortcuts available

Lock-in customers to proprietary solutions Integration with other systems means more consulting

Lack of top-level priority Supporting multiple standards requires specific expertise

and resource commitment

Compliance not always possible Many standards do not have compliance testing

© OASIS 2003


How Can Users and Industries Influence Vendors?

Examine and understand standards that are pertinent to your industry

Participate in standards bodies that relate to your business practices

Help vendors understand the importance of your requirements for interoperability

Help vendors understand what standards you rely upon today and in the future … and why

Do not purchase products from vendors who do not support the standards you need

© OASIS 2003


Delphi Group Research on the Value of Open Software Standards

Greatest benefit to support open standards Increases the value of existing and future investments in

information systems Provides greater software re-usability Enables greater data portability

Factors driving participation in standards Vendor neutral environment Access to a community of developers Membership comprised of both end-users and software

developers

© OASIS 2003


Delphi Group Research on the Value of Open Software Standards

“Compliance with standards in software development is not simply a strategic direction, but a business imperative.”

“Even those who took a very practical approach and stated that standards might slow down their efforts initially, agreed that in the long run the presence of a standard represented a much more secure investment.”

© OASIS 2003


What Should an Open Standards Process Provide?

Opportunity to pursue technical work in a neutral environment – level playing field

Balanced participation by technology vendors, end users from various industries, and governmental agencies

Opportunity to set the technical agenda – member driven

Active support from relevant industry associations Visibility and sanction by an internationally

recognized standards body

© OASIS 2003

OASIS Work in Web Services Standards

© OASIS 2003

oasis-open.orgoasis-open.orgOASIS Web Services TCs

Asynchronous Service Access ProtocolFramework for Web Services

ImplementationWeb Services Business Process

Execution LanguageWeb Services Composite Application

FrameworkWeb Services Distributed Management

© OASIS 2003


OASIS Web Services TCs (cont.)

Web Services for Remote PortletsWeb Services Interactive

Applications (completed)Web Services Reliable MessagingWeb Services Security

© OASIS 2003

oasis-open.orgoasis-open.orgOASIS Security TCs

Application Vulnerability Description Language

Digital Signature ServiceseXtensible Access Control Markup

LanguageProvisioning ServicesPublic Key InfrastructureRights Language

© OASIS 2003

oasis-open.orgoasis-open.orgOASIS Security TCs (cont.)

Security ServicesWeb Application SecurityWeb Services SecurityXML Common Biometric Format

www.xml.org www.xml.coverpages.org

www.oasis-open.org

Documents

© OASIS 2003 The Critical Role of Web Services Standards in Vertical Industry Next Generations Asia PKI Forum Taipei, 14 November 2003 Karl Best, VP OASIS