Web services are demonstrating their value and exhibiting the potential to substantially enhance enterprise productivity and reduce operating costs. But they will never reach their full potential without two things: trust and security. That's because Web services are based on open, dynamic exchange of valuable data and services. But for everything to work the way it's intended, those deploying Web services must be able to ensure that the data or services being exchanged are kept confidential, secure, and reliable.

To deploy trusted Web services, you really need five things:

• High availability: The Web services must be easy to find using public or private directories.
• Privacy: Communications absolutely must be safe from eavesdroppers.
• Data integrity: Data exchanged by Web services must be safe while in transit.
• Authentication: Web services must positively identify the services with which they communicate.
• Authorization: Web services must intelligently restrict access to sensitive data and functions.

It will be critical, however, to keep the industry on track. No significant Web-based technology has taken off without addressing security issues in some way. During the past decade, VeriSign spurred the first wave of secure Internet commerce by embedding the VeriSign Trust Root in all the major Web browsers.

We must be just as diligent in trying to embed elements of trust and security into the fabric of Web services infrastructure. Loosely coupled applications must be able to make critical determinations at runtime, such as whether to entrust an inquiry, reveal strategic data or invoke contingent services. In addition application users who do not know one another must have access to a secure payment mechanism that allows them to pay for services that operate via the Web services platform. Finally, enterprises must provide a mechanism that allows applications to easily locate one another across the Internet and determine their suitability for interaction based on predefined criteria.

To meet these requirements, there must be an underlying trust infrastructure that is dynamic, reliable, and easily accessed by many applications. This infrastructure and the digital trust services that it provides must be integrated into Web services at both the network and application levels, enabling enterprises to securely utilize existing technology assets while participating as fully as possible in the emerging digital economy.

A number of industry players, including VeriSign, IBM, Microsoft, Sun, Oracle, and BEA, are currently cooperating to make it easier for developers and partners to create or resell trusted Web services by providing a single resource for integrating digital trust services into Web services architecture. It's early yet, but the idea is that developers will be able to easily integrate digital trust services into their Web services using a single, unified API, which is currently provided in VeriSign's Trust Services Integration Kit. So far, there have been more than 2,000 downloads of this kit from www.xmltrustcenter.org, indicating tremendous early interest in trusted Web services.

In any case, efforts to integrate digital trust services across all major Web services platforms will continue, and work on standards and technology will move forward. If it doesn't, and the industry doesn't adequately address issues of trust and security, Web services will be dead on arrival.

Author Bio
Phillip Hallam-Baker is principal scientist and Web services architect for VeriSign, Inc., and is responsible for driving and delivering key security specifications and technologies through industry-recognized standards bodies and other organizations. Phillip is the coauthor of the XML Key Management specification, which marries XML and PKI technologies for higher levels of e-commerce security. He also coauthored the WS-Security specification with Microsoft and IBM. pbaker@verisign.com