Press Release

Web Services Security (WSS) Ratified as OASIS Standard

AmberPoint, BEA Systems, Betrusted, Commerce One, Computer Associates, Documentum, Entrust, Fujitsu, HP, Hitachi, IBM, Microsoft, Netegrity, Nokia, Novell, Oblix, OpenNetwork, Oracle, Reactivity, RSA Security, SAP, Sarvega, SeeBeyond Technology, Sun Microsystems, Verisign, and Others Develop Foundational Standard for Security

Boston, MA, USA; 19 April 2004 — The OASIS international standards consortium today announced that its members have approved the Web Services Security (WSS) version 1.0 (WS-Security 2004) as an OASIS Standard, a status that signifies the highest level of ratification. WSS offers a trusted means for applying security to Web services by providing the necessary technical foundation for higher-level services.

Gartner analyst, Ray Wagner, advised, "Enterprises should adopt WSS formatting for all across-the-firewall Web service deployments, even in cases where no security needs have been identified. Gartner believes that WSS will be the standard for the majority of Web services, and committing to it now will allow enterprises to easily modify the security profile of deployed Web services in the future."

WSS builds upon existing security technologies such as XML Digital Signature, XML Encryption and X.509 Certificates to deliver an industry standard way of securing Web Services message exchanges. Providing a framework within which authentication and authorization take place, WSS lets user apply existing security technology and infrastructure in a Web Services environment.

"By enabling applications to share information regarding network access regardless of the underlying platform, Web Services Security paves the way for broader adoption of Web services," said Chris Kaler of Microsoft, co-chair of the OASIS WSS Technical Committee. "The OASIS WSS TC is pleased by the support and commitment of the Web services community leading to the ratification of Web Services Security as an industry standard."

WSS handles complex confidentiality and integrity for SOAP (Simple Object Access Protocol) messages, providing a general-purpose mechanism for associating security tokens with message content. Designed to be extensible, WSS supports multiple security token formats.

"A client might provide one format for proof of identity and another format to verify their business certification," explained Kelvin Lawrence of IBM, co-chair of the OASIS WSS Technical Committee. "Using WSS, a system can authenticate the identity of a person connecting to several networks at once or pass data between two applications securely."

"The Web Services Security OASIS Standard represents a truly impressive collaboration from across the industry," noted Patrick Gannon, president and CEO of OASIS. "It is testament to the value of the open standards process where users and vendors, large and small, come together to advance a common good. WSS delivers a much-needed foundational technology that will enable Web services to be deployed with confidence."

Industry Support for WSS

Booz Allen Hamilton "The approval of Web Services Security is a large step forward in enabling increasingly secure interoperability between Web Services-based systems both inside and outside enterprise boundaries," said Steven Lewis, Senior Consultant at Booz Allen Hamilton. "This will enable our clients to achieve even greater benefits from using Web Services, and we look forward to applying OASIS Web Services Security in our client solutions."

Commerce One "Securing messages sent using Web services is critical to the widespread deployment of Web services for integrating systems at the ‘edge-of-the-enterprise.’ We have been very active in the development of this important standard and have implemented it as part of a comprehensive security solution in our Conductor Platform," said David Burdett, Director of Standards Strategy at Commerce One.

Computer Associates "OASIS Web Services Security will help ensure and streamline the implementation of security policies across complex environments and multiple business relationships. CA will continue to work closely with other industry leaders and with OASIS to develop practical standards that enable our customers to create trusted relationships, resulting in improved business performance and new revenue opportunities." said Dmitri Tcherevik, director of Web services at Computer Associates.

Cordance "WSS 1.0 is a key building block of the trust infrastructure required by many other Web Services. The OASIS XDI (XRI Data Interchange) Technical Committee intends to use WSS 1.0 as a primary means of ensuring the security of trusted data sharing relationships using XDI. This is another example of how modular Web Services specifications developed by OASIS and other standards bodies can work together to build the next layer of the Web," said Drummond Reed, CTO, Cordance Corporation, Co-Chair of the OASIS XRI and XDI Technical Committees.

Fujitsu "Fujitsu is very pleased to learn that Web Services Security (WS-Security 2004) has been ratified as an OASIS Standard with wide industry support. Fujitsu believes that this open and interoperable security standard will accelerate the adoption and deployment of Web services suitable for real business applications," said Seigo Hirosue, General Manager of Strategy and Technology Division, Software Group of Fujitsu Limited.

HP "Standards-based, secure Web services technologies are the foundation of open, flexible, business-centered computing systems. Approval of the OASIS Web Services Security specifications is an important step in building a complete suite of open Web services standards. Implementations of these specifications will help HP and our customers to adapt IT resources to enterprise needs rapidly and securely," said David Shoaf, director, Software Standards Marketing, HP.

IBM "IBM is pleased to see Web Services Security become an OASIS Standard. Customers have been asking for an industry standard way of signing and securing Web services message exchanges, and the industry has clearly been looking to the OASIS Web Services Security Technical Committee to deliver a quality specification. IBM already offers support for earlier drafts of WS-Security in many of our WebSphere and Tivoli products and this new OASIS Standard will be fully supported across the IBM software portfolio," said Arvind Krishna, vice president of provisioning and security development, Tivoli Software, IBM.

Microsoft "The ratification of Web Services Security as a standard is a significant milestone for Web services and the industry overall. Web Services Security is supported broadly across the industry, with numerous implementations from vendors available today as evident by our customers leveraging Web Services Security capabilities. We will continue our support for the standard with plans to implement the technology in our Web Services Enhancements (WSE) offering. We look forward to continued progress, adoption and implementation of Web services, and continuing our commitment to work with the industry to provide a common set of industry standards for secure, reliable and transacted Web services," said Dave Mendlen, director of Web services technical marketing for Microsoft.

Nokia "Nokia is pleased to see the timely release of these open security standards. This will enable interoperable web services security, driving meaningful web services adoption. Nokia is pleased to have contributed to these standards and looks forward to their adoption by vendors, customers and other standards organizations, increasing the momentum toward practical service oriented architectures," said Frederick Hirsch, Senior Architect at Nokia, an active contributor in the OASIS WSS Technical Committee and member of the OASIS Board of Directors.

Reactivity "Over the past 18 months, Reactivity has been an active member of the OASIS WSS Technical Committee, providing thought leadership in XML security technology to help drive the convergence of interoperability standards. We appreciate the opportunity to contribute to Web Services Security Version 1.0 and are pleased to have been the first among XML security gateways to actually demonstrate broad interoperability. We will continue to actively support the final specification in our current and next-generation secure connectivity solutions for Web services," said John Lilly, CTO, Reactivity.

SAP "SAP considers message-level Web service security a key component for deploying Web services in enterprise-critical business applications. We are pleased to see Web Services Security accepted as an OASIS Open Standard and to announce its support in SAP NetWeaver, SAP’s application and integration platform. Web Services Security provides our customers with message integrity and confidentiality in their Web services-based application integration projects," said Michael Bechauf, Vice President NetWeaver Standards at SAP.

Sarvega "As the deployment of Web services, especially in mission-critical applications, becomes more widespread, the ability to provide interoperable, comprehensive and reliable security becomes all the more important. The industry has recognized for some time that standardization of security is key to successful Web services deployments. OASIS and its members have made significant contributions toward crafting a common standard and assuring real life applicability through interoperability testing. We, as well as our customers, are extremely pleased about this announcement and Sarvega is proud to be part of the process," said Girish Juneja, co-founder and senior vice president of product management for Sarvega.

SeeBeyond "Approval of Web Services Security as an OASIS Standard is an important step toward maturing the set of basic technologies necessary to support the deployment of secure Web Services. As an OASIS sponsor represented on the OASIS WSS Technical Committee, SeeBeyond supports this advancement in providing enhanced message-based integrity, confidentiality, and authentication. This security standard coupled with our open platform for composite application development and integration, further supports our role in enabling standards-based interoperability built on a Service Oriented Architecture (SOA) for our global customer base," said Alex Andrianopoulos, vice president of Product Management & Standards for SeeBeyond.

About OASIS (

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, global consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. OASIS produces worldwide standards for security, Web services, conformance, business transactions, electronic publishing, topic maps and interoperability within and between marketplaces. Founded in 1993, OASIS has more than 2,500 participants representing over 600 organizations and individual members in 100 countries.

More information:

OASIS WSS Technical Committee

Cover Pages Technology Report: Web Services Security

Press contact:

Carol Geyer Director of Communications OASIS ( +1.978.667.5115 x209