Patrick_Gannon_Oasis by fanzhongqing


									Leading the Adoption of
Web Services Standards
Patrick Gannon
President & CEO

Web Services on Wall Street
New York, 2 February 2005
Open Standards
for Web Services

   Why do standards matter?
   Key Directions in Web Services & Security
   What your company can do
Why then do standards
Achieving Sustainable Business Benefits
through a Open Standards for Web Services

    In this post-dot-com era, end user
    companies are expecting more
    liquidity and longevity of their assets.
    To achieve the ROI, Cost Reduction
    and Service Expansion benefits
    expected; the widespread deployment
    of standards-based Web services is
Why do standards matter
for e-business?

   Businesses require expansion of the value chain
    into unlimited, de-perimiterized extranets
   Support of multiple platforms is a business
   Must support multiple languages, taxonomies,
    semantics and business processes
 Normalizing data, processes and users costs

  time and money
Why do standards matter?
Risk Reduction for e-commerce
Unstable business and       Persistent technical base
technical requirements      with stable versioning

New and emerging            Evolving and converging
business requirements       standards

Diversity of business       Interoperable standards
partners and technologies

Need for long term          Reliable, fixed terms of
support                     availability
What’s an “Open Standard”?
An open standard is:
 publicly available in stable, persistent
 developed and approved under a published
 open to input: public comments, public
  archives, no NDAs
 subject to explicit, disclosed IPR terms
Anything else is to some extent proprietary:
 This is a policy distinction, not a pejorative
 See the US, EU, WTO governmental & regulatory
  definitions of “standards”
Standards Adoption
   To be successful, a standard must be used
   Adoption is most likely when the standard is
       Freely accessible
       Meets the needs of a large number of adopters
       Flexible enough to change as needs change
       Produces consistent results
       Checkable for conformance, compatibility
       Implemented and thus practically available
   Sanction and Traction both matter
Leading the Adoption of
Web Services Standards
   OASIS is a member-led, international non-profit
    standards consortium concentrating on
    structured information and global e-business
   Over 650 Members of OASIS are:
      Vendors, users, academics and governments

      Organizations, individuals and industry

   Best known for web services, e-business,
    security and document format standards.
   Supports over 65 committees producing royalty-
    free and RAND standards in an open process.
OASIS members in
Financial Services
   Accountis PLC                     Mortgage Bankers Association of
   Australian Taxation Office        Netherlands Tax and Customs

   Bank of America                   Norway National Insurance
   Belgian Federal Public Service
    FINANCE                           Thomson Corporation
   Canada Customs & Revenue          UK Inland Revenue
    Agency                            US Internal Revenue Service
   Fidelity Investments
                                      Internet Development Service
   First Data
                                      Vertex
   FundSERV
                                      Visa International
   Hungarian Tax and Financial
    Control Administration            Well Fargo
   JPMorganChase                     Wolters Kluwer
Key Directions in
OASIS Standards for
Web Services
Approved OASIS Standards
for Web Services
   UDDI: Universal Description, Discovery & Integration
       Defining a standard method for enterprises to dynamically
        discover and invoke Web services.
   WSRP: Web Services for Remote Portlets
       Standardizing the consumption of Web services in portal front
   WS-Reliability
       Establishing a standard, interoperable way to guarantee
        message delivery to applications or Web services.
   WSS: Web Services Security
       Delivering a technical foundation for implementing integrity and
        confidentiality in higher-level Web services applications.
    OASIS Standard UDDI v 3.0.2 - February 2005
    Support for Registry Affiliation
    Publisher Assigned Keys
        Human-friendly, URI-based keys
    Subscription API
    Support for Digital Signatures
    Information Model Improvements
        categoryBags on bindingTemplates (endpoints)
        Operational information
        Support for Complex Categorization
    Extended Discovery Features
        Support for previous multi-step queries into single-step
         complex queries
        Extended Wildcard support
        Management of large results sets
UDDI v.Next
    Taxonomy Management
        Using OWL for the interchange format
        API for navigation and management of taxonomies
    Query Enhancements
        Semantic Search
        Range Based Query
        Boolean Query Operations
    Information Model
        Finer grain access control capabilities
        More flexible ways to represent contacts and property
        Managing Stale Data
    Generalized Bindings
        SOAP 1.2, WSDL 2.0
OASIS Web Services
Infrastructure Work
14+ OASIS Technical Committees, including:

   ASAP: Asynchronous Service Access Protocol
    Enabling the control of asynchronous or long-running Web services.
   WSBPEL: Business Process Execution Language
    Enabling users to describe business process activities as Web
    services and define how they can be connected to accomplish
    specific tasks.
   WS-CAF: Composite Application Framework
    Defining an open framework for supporting applications that contain
    multiple Web services used in combination.
   WSDM: Distributed Management
    Defining Web services architecture to manage distributed resources.
OASIS Web Services
Infrastructure Work
   WSN: Notification
    Advancing a pattern-based approach to allow Web services to
    disseminate information to one another.

   WSRM: Reliable Messaging
    Establishing a standard, interoperable way to guarantee message
    delivery to applications or Web services.

   WSRF: Resource Framework
    Defining an open framework for modeling and accessing stateful
Standardizing Web Services
For communities and across industries:
  ebSOA: e-Business Service Oriented Architecture
    Advancing an eBusiness architecture that builds on ebXML and
    other Web services technology.

   FWSI: Framework for WS Implementation
    Defining implementation methods and common functional elements
    for broad, multi-platform, vendor-neutral implementations of Web
    services for eBusiness applications.

   oBIX: Open Building Information Xchange
    Enabling mechanical and electrical systems in buildings to
    communicate with enterprise applications.
   Translation WS
    Automating the translation and localization process as a Web service.
Security for Web Services
   Most e-business implementations require
    a traceable, auditable, bookable level of
    assurance when data is exchanged
   IT operations demand “transactional” level
    of reliable functionality, whether it’s an
    economic event (booking a sale) or a pure
    information exchange
   Dealings between divisions often need
    security and reliability as much as deals
    between companies
Security: function by function

   Identity authentication
   Encryption and protection
    against interception
   Control of access and authority
Identity authentication
The latest e-business security standards
implement the next generation of identity
   In the 1990’s, PKI assumed a universal

     network of official certification authorities
   Newer federated / distributed identity

     models permit identity certification to be
     decentralized and shared among service
     providers and existing registrars
     • SAML     • WS-Security • XCBF         • SPML
Identity authentication
   SAML
    (Security Assertion Markup Language )
      A standard way to convey identity and

       authorization data
      Winner of PC Magazine’s Technology

       Excellence Award in 2002 and Digital ID
       World 2003 award for innovation in 2003
      SAML 1.0 approved as an OASIS Standard

       in Nov. 2002; SAML 1.1 in Aug. 2003
      SAML 2.0 approved as Committee Draft in

       Dec. 2004; OASIS Standard in Q1 2005
Identity authentication
   WS-Security
    (Web Services Security)
      The standard method for attaching

       security data to a web services message
      Wide support in web services tool-making

      Profiles (modules) completed for:

         • Username-token/   • SAML
           password pairs    • Rights Expression
         • X.509 PKI          Languages
       WS-Security 2004 1.0 suite approved as
        an OASIS Standard in April 2004
Identity authentication

 (eXtensible Common Biometric Format)
  Method for conveying biometric identity

   data such as retina scans and fingerprints
  Coordinated with other world efforts,

   including ITU-T standards and the ANSI
   X9.84 banking industry biometrics initiative
  Expect to see more tools and devices

   commercially deployed soon
  XCBF 1.1 approved as an OASIS Standard

   in August 2003
Identity authentication
   SPML
    (Service Provisioning Markup Language)
     Method for conveying cross-system identity

      provisioning requests
     Fully integrated with SAML and built using

      wide range of open web services standards
     Defines a simple client-oriented

      request/response protocol for Id provisioning
      request exchange
     SPML 1.0 approved as OASIS Standard –

      Nov. 2003
Encryption and protection against
interception & intrusion
   A key problem with encrypted messages
    travelling over a shared or public network: if
    you encrypt the wrong bits, it doesn’t arrive, or
    the recipient can’t process it
    • DSS                  • PKI TC
   Shared and automated methods for managing
    security require a shared vocabulary about
    security weaknesses and risks
    • AVDL                 • WAS
Control of access and authority
   In transactional information
    exchanges, you often must apply
       access lists,
       directories of recipients,
       levels of authority, and
       access policies
   So that you know who gets what, and
    who should get it
    • XACML                • SPML
 Control of access and authority
 XACML            SPML
 (eXtensible Access Control   (Service Provisioning
   Markup Language)             Markup Language)
  Method for conveying

   and applying data access      Identity provisioning
   policies & controls            interface specification
  Demo’ed at XML2003 in         Becomes the missing
   Philadelphia                   link in secure web
  XACML approved as              services subscription
   OASIS Standard                 and Identity Mgmt
     v1.0 in Feb. 2003
                                 Demo’ed at Burton
     v2.0 in Sep. 2004
                                  Catalyst 2003 in SF
  Role-based access

   profile issued May 2004
What should your company be
Reducing Risk in new
e-business technologies
   Avoid reinventing the wheel
       Stay current with emerging technologies
   Influence industry direction
       Ensure consideration of own needs
   Realize impact of interoperability and
    network effects
   Reduce development cost & time
       save development on new technologies
       share cost/time with other participants
What can your company do?
    Participate
        Understand the ground rules
        Contribute actively
  Be a good observer

 In any case…
  Make your needs known

        Use cases, functions, platforms, IPR, priorities,
         availability, tooling
    Be pragmatic: standardization is a
     voluntary process
Contact Information:
Patrick Gannon
President & CEO

                     

To top