News Stay informed about the latest enterprise technology news and product updates.

SOA's orphan standard WS-Policy finds a home at W3C

The W3C accepts the Web services specification WS-Policy for standards consideration, bringing a key component for SOA into the public domain.

After more than three years, WS-Policy, the Web services specification considered key to providing the loose coupling required in SOA, finally found a standards body home at the W3C on Wednesday afternoon.

Officially W3C acknowledged the submission of the WS-Policy specification by its authors – IBM, Microsoft, SAP AG, BEA Systems Inc., Sonic Software Corp. and VeriSign Inc. – and it will now begin work on transforming the spec into a full-fledged standard.

"This is a big step forward not only for WS-Policy, but for Web services specs in general," said Karla Norsworthy, vice president, IBM software standards. "WS-Policy is a key enabler, a framework to give flexibility at deployment time."

The spec is designed to allow policies for security, messaging and transactions to be set in a policy layer above the Web services applications so these considerations do not have to be coded in by developers, she said.

David Burdett, standards architect for SAP, offered some examples.

"On security, you need to know whether or not you need to encrypt or sign a message," he said. "You would record that fact in a policy for Web services. For Reliable Messaging, you need to know how long should you wait before you assume that a message has not been delivered."

[The WS-Policy is] a "good first step toward qualifying how security and authentication are to be enforced in an SOA environment.
Tony Baer
Principal analystonStrategies

Because of its importance to SOA and Web services, Kyle Young, program manager for connected systems at Microsoft, noted that WS-Policy has the support of vendors who are not authors, but are members of W3C. These include Adobe Systems Inc., CA Inc., Ericsson Inc., IONA Technologies Inc, Layer 7 Technologies Inc., Nokia Inc., Oracle Corp., Ricoh Corp., Systinet (a Mercury Interactive Corp. division), Sun Microsystems, Inc., TIBCO Software, Inc., and webMethods Inc.

"It's been a long anticipated specification to be completed because it provides a key capability across all the rest of the WS-* specifications we've been working on," he said.

Beyond being "long anticipated" some vendors involved in the process, notably Toufic Boubez, CTO at Layer 7, have been openly critical of the time it has taken to get the spec to a standards body. Boubez has argued that without a policy layer, Web services connections continue to be hard-coded, which is the antipathy of the loose coupling philosophy behind SOA.

Tony Baer, principal analyst with onStrategies, called the WS-Policy a "good first step toward qualifying how security and authentication are to be enforced in an SOA environment." Yet the analyst noted that after three plus years, its arrival on the W3C doorstep was somewhat anticlimactic.

"It's a case of the other shoe dropping for at least one of the key building blocks of WS-*," Baer said. "The importance of WS-Policy is that Web services standards are beginning to make their difficult climb to the higher levels of the stack. Historically, there's been relatively minor problem when dealing with the lower levels, such as communications protocols. But at higher level, where you get closer to standardizing data, logic, process or workflow, it has always been a minefield."

Secure Web services

Put Web services security on front burner

Burton report: Tackling security inside SOA

OWASP Guide to Building Secure Web Applications and Web Services, Chapter 8: Web Services

Despite the criticism and the long wait for entrance into the standards process, the analyst concluded, "Any consensus on WS-Policy is a positive indicator that at least a few of the roadblocks are finally being cleared."

Microsoft's Young outlined the process that will eventually lead to WS-Policy becoming a W3C standard. None of the authors would hazard a guess at a time frame.

"The next steps are governed by the W3C processes," he said. "The next set of things happening will be around forming a working group. Now that we've made this submission, the W3C will publish a charter and go through a multi-week process to get from that charter to getting a working group launched. Then within that working group, we're hopeful that it can move fairly quickly and effectively once it gets up and running."

This article originally appeared on

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.