Upload
lynne-poole
View
213
Download
0
Embed Size (px)
Citation preview
© OASIS 2003
The Critical Role of Web Services Standards in Vertical Industry Next
Generations
Asia PKI ForumAsia PKI ForumTaipei, 14 November 2003Taipei, 14 November 2003
Karl Best, VP OASISKarl Best, VP OASIS
© OASIS 2003
oasis-open.orgoasis-open.org
Who is OASISWhat are Web Services?What is required for web services to
be successfulChallenges/Issues for web servicesWhat is OASIS doing about web
services?
Agenda
© OASIS 2003
Who is OASIS?
© OASIS 2003
oasis-open.orgoasis-open.orgOverview
OASIS is an international consortium dedicated to developing and promoting the adoption of e-business specifications
Member-elected Board of Directors and Technical Advisory Board; member-driven standards process
Members of OASIS are providers, users and specialists of standards-based technologies and include organizations, individuals, industry groups, and government agencies.
International, not-for-profit, open, independent Successful through industry-wide collaboration
© OASIS 2003
oasis-open.orgoasis-open.orgOASIS technical work
The OASIS technical agenda is set by our members; bottom-up approach
Technical committees formed by the proposal of our members
Each Technical Committee sets its own scope, schedule, and deliverables
More than 60 Technical Committees in a variety of topic areas E-business Security Web services Public sector
© OASIS 2003
What Are Web Services?
© OASIS 2003
oasis-open.orgoasis-open.orgWhat are Web Services?
Before Web Services, web-based e-Business was: Browsing of linked documents Manually initiated transactions & purchases Downloading files All initiated manually via a Web browser
Web Services is a model for using the Web to: Automatically initiate processes via the Web using programs Method for describing, publishing, promoting, registering, &
initiating processes dynamically in a distributed environment New ways of using the web, including intelligent agents,
marketplaces & auctions And… Not necessarily using a Web browser!
Actually, the Web is not required How about "Net Services?"
All done using XML standards
© OASIS 2003
oasis-open.orgoasis-open.orgA Web Services Scenario
Travel Agency Travel Network Hotel
Airline
Car RentalAgencyCredit Card
Network
Bank
Slide from Eve Maler, Sun Microsystems
Check availability, then reserve
Validate and authorize card
Collect itinerary data
Check availability, then reserve
Check availability, then reserve
Aggregate data; request
reservation
Request credit card
authorization
Route request to member bank
Request reservation
© OASIS 2003
oasis-open.orgoasis-open.orgWeb Services Terminology
Web Services-Interoperability (www.ws-i.org) defines “Basic Web Services” as applications built with: SOAP WSDL UDDI XML Schema
© OASIS 2003
oasis-open.orgoasis-open.org
Web Services Terminology (cont.)
W3C Web Services Architecture WG definition:
“A Web service is a software application identified by a URI, whose interfaces and bindings are capable of being defined, described and discovered as XML artifacts. A Web service supports direct interactions with other software agents using XML based messages via internet-based protocols.”
"Our definition of the term ‘Web Services’ does not presuppose the use of SOAP as a packaging format or a processing model. Nor does it presuppose the use of WSDL as a service description language....”
© W3C 2002
© OASIS 2003
oasis-open.orgoasis-open.orgSo, What is a Web Service?
In its simplest form, application to application requests and responses over the web stack SSL HTTP/SMTP/... XML SOAP UDDI
RegistryRPC and Business Messagingall loosely coupled...
© OASIS 2003
oasis-open.orgoasis-open.org
Web Services Terminology (cont)
OASIS sees “web services like” approaches to building e-business platforms A continuum from “simple” to
“complex”, increasing in robustness, adoption, volume
e.g. ebXML can be considered as “complex web services”
© OASIS 2003
oasis-open.orgoasis-open.orgComplexity of Web Services
Simple No side effects Non-transactional Context free Session-less, no
roles Minimal security Call-response
model Point-to-point Not developmentally
scalable
Complex, e-Business Impacts other steps Transactional Context sensitive
conversions, ordering of steps
Session based, personalized
Exactly once semantics Sophisticated security Messaging based Scalable
© OASIS 2003
What is Required for Web Services to be Successful?
© OASIS 2003
oasis-open.orgoasis-open.org
Complete Picture
Success for Web Services requires standardization of a complete set of specifications, including e.g. Security
© OASIS 2003
oasis-open.orgoasis-open.org
What Makes Web Services Possible?
Reliable & Transparent Interconnectivity Web Protocols
Structured Information XML Schemas & validation
Application Interface Standards UDDI, WSDL, SOAP
Consistent Definitions Profiles, Test Suites & Scenarios
Business Process Interface Standards ebXML, BTP, WSBPEL, etc.
Security / Infrastructure Standards SAML, XACML, etc.
© OASIS 2003
oasis-open.orgoasis-open.org
Web Services Requires Security
Travel Agency Travel Network Hotel
Airline
Car RentalAgencyCredit Card
Network
Bank
Slide from Eve Maler, Sun Microsystems
Encrypt
Sign
Encrypt traveler data
EncryptSign
EncryptSign
TrustRelationship
TrustRelationship
TrustRelationship
TrustRelationship
© OASIS 2003
oasis-open.orgoasis-open.org
Web Services Requires Security
“Without security, web services are dead on
arrival.” -- Phil Hallam-Baker, Verisign
© OASIS 2003
oasis-open.orgoasis-open.org
Security Requirements for Web Services
Authentication: Participants in a message exchange recognize each other and the creators of the content
Authorization: Actions on resources are checked against permissions
Auditing: Participants have a record of what happened
Integrity: Message content wasn’t altered inappropriately during transit
© OASIS 2003
oasis-open.orgoasis-open.org
Security Requirements for Web Services (cont.)
Confidentiality: Content is not visible to non-authorized parties
Non-repudiation: A message sender can’t refute the action
Trust: Participants have to agree to work together
© OASIS 2003
oasis-open.orgoasis-open.org
Complete Picture (2)
Success for Web Services requires involvement of broad spectrum of vendors, users and implementors, verticals, government in the development of specifications
© OASIS 2003
oasis-open.orgoasis-open.org
Broad Participation
Global participation required, including from Asia Asia PKI Forum is leader in secure identity, a topic
important to the success of web services
Government agencies can help drive development and adoption of standards through open standards processes Government-sponsored research and pilot projects (e.g.
Singapore IDA starting the OASIS FWSI TC; Hong Kong CECID development of open source ebXML software)
Need input from users and implementors from vertical industries
© OASIS 2003
oasis-open.orgoasis-open.org
Do’s and Don’ts of Web Services
Do: Participate in standards committees (W3C, OASIS,
WS-I) by offering real-world scenarios that can be used as test cases for ensuring reliable, secure, and high-performance Web services.
Participate in semantic committees (such as RosettaNet, ebXML, cXML and others) that are working on the descriptions of business documents for use in Web services.
Don’t: Wait for vendors to define the market for you; voice
your issues through the standards committees.
(Source: AMR Research, quoted in ZDNet 29 Oct 2003)
© OASIS 2003
Challenges/Issues for Web Services
© OASIS 2003
oasis-open.orgoasis-open.org
Fundamental Issues to be Addressed
A common framework for Web service interactions based on open standards must occur.
An agreed set of vocabularies and interactions for specific industries or common functions must be adopted.
© OASIS 2003
oasis-open.orgoasis-open.org
Greatest Concern Preventing Adoption of Web services
“There's a sordid history in the technology world of everybody trying to get a little leverage over somebody else by developing proprietary extensions or vendor-specific add-ons to the core technology. In general, those have been bad, because they don't end up being sustainable over time and that costs companies like us a lot of money.”
CIO of a Fortune 100 corporation
© OASIS 2003
oasis-open.orgoasis-open.org
Issues Impacting Web Services for the Global Business Market
Advancing WS specifications through an open standards process Core specifications (SOAP, WSDL) at W3C Registry specifications (UDDI, ebXML Registry) at OASIS Infrastructure specifications (security, management,
business process, etc.) at OASIS Coordinating and demonstrating related infrastructure
standards Adapting industry business vocabularies and business
scenarios to WS framework
© OASIS 2003
oasis-open.orgoasis-open.org
Formula for Sustainable StandardsM
arke
t Ado
ptio
n
Open Standardization
Traction
SanctionProprietary JCV Consortia SDO
SGMLISO
XMLW3C
SOAP v1.1 SOAP v1.2W3C
UDDI v2,3UDDI.org
WSDL v1.2W3C
ebMSG v2OASIS
WSDL v1.1
eb Reg v2OASISWS-S v1.0
BPEL4WS WS-BPELOASIS
WS-SOASISWS--*
? UDDI v2,3OASIS
© OASIS 2003
oasis-open.orgoasis-open.org
Why Are Software Standards Important?
CompatibilityCompatibility
ExtensibilityExtensibility
PredictabilityPredictability
InteroperabilityInteroperability
Leverage Existing SkillsLeverage Existing Skills
Rapid DevelopmentRapid Development
© OASIS 2003
oasis-open.orgoasis-open.org
Why Do Vendors Comply?
Deliver customer value Faster customization Easier integration with other customer
applications
Secure broader adoption of technology More developers means broader deployment More companies can easily build applications
Gain competitive edge Leadership role in the formulation of standards Larger developer community grows adoption
© OASIS 2003
oasis-open.orgoasis-open.org
What Does It Take for Software Vendors?
Active participation in standards bodies
Drive standards development to promote industry interoperability and adoption
Analysis of standards in software development
Balance of innovation with standards support
Focus on compliance and interoperability testing
© OASIS 2003
oasis-open.orgoasis-open.org
Why Don’t Vendors Always Support Standards?
Too easy to “do your own thing” Quickness to delivery, shortcuts available
Lock-in customers to proprietary solutions Integration with other systems means more consulting
Lack of top-level priority Supporting multiple standards requires specific expertise
and resource commitment
Compliance not always possible Many standards do not have compliance testing
© OASIS 2003
oasis-open.orgoasis-open.org
How Can Users and Industries Influence Vendors?
Examine and understand standards that are pertinent to your industry
Participate in standards bodies that relate to your business practices
Help vendors understand the importance of your requirements for interoperability
Help vendors understand what standards you rely upon today and in the future … and why
Do not purchase products from vendors who do not support the standards you need
© OASIS 2003
oasis-open.orgoasis-open.org
Delphi Group Research on the Value of Open Software Standards
Greatest benefit to support open standards Increases the value of existing and future investments in
information systems Provides greater software re-usability Enables greater data portability
Factors driving participation in standards Vendor neutral environment Access to a community of developers Membership comprised of both end-users and software
developers
© OASIS 2003
oasis-open.orgoasis-open.org
Delphi Group Research on the Value of Open Software Standards
“Compliance with standards in software development is not simply a strategic direction, but a business imperative.”
“Even those who took a very practical approach and stated that standards might slow down their efforts initially, agreed that in the long run the presence of a standard represented a much more secure investment.”
© OASIS 2003
oasis-open.orgoasis-open.org
What Should an Open Standards Process Provide?
Opportunity to pursue technical work in a neutral environment – level playing field
Balanced participation by technology vendors, end users from various industries, and governmental agencies
Opportunity to set the technical agenda – member driven
Active support from relevant industry associations Visibility and sanction by an internationally
recognized standards body
© OASIS 2003
OASIS Work in Web Services Standards
© OASIS 2003
oasis-open.orgoasis-open.orgOASIS Web Services TCs
Asynchronous Service Access ProtocolFramework for Web Services
ImplementationWeb Services Business Process
Execution LanguageWeb Services Composite Application
FrameworkWeb Services Distributed Management
© OASIS 2003
oasis-open.orgoasis-open.org
OASIS Web Services TCs (cont.)
Web Services for Remote PortletsWeb Services Interactive
Applications (completed)Web Services Reliable MessagingWeb Services Security
© OASIS 2003
oasis-open.orgoasis-open.orgOASIS Security TCs
Application Vulnerability Description Language
Digital Signature ServiceseXtensible Access Control Markup
LanguageProvisioning ServicesPublic Key InfrastructureRights Language
© OASIS 2003
oasis-open.orgoasis-open.orgOASIS Security TCs (cont.)
Security ServicesWeb Application SecurityWeb Services SecurityXML Common Biometric Format
www.xml.org www.xml.coverpages.org
www.oasis-open.org