Web services has the potential to solve some of the most difficult technology and integration problems that have plagued IT departments for decades. Isolated systems, redundant code, extended development cycles, and vendor dependence have essentially been accepted as inherent side effects of enterprise computing. If Web services is to alleviate these problems, a complete, broadly accepted set of standards must be realized.

In an earlier article (WSJ, Vol. 2, issue 1), I provided a broad look at the Web services standards landscape. At the time, XML and SOAP had reached fairly widespread acceptance and there was great optimism about the flurry of activity in other critical areas, such as service description and discovery. In this article we'll look at what changes have taken place in the major standards organizations. Then we'll take a peek at how far existing standards have progressed and what new standards have emerged over the past six months.

Standards Organizations
One of the keys to the success of developing and promoting acceptance of a standard is the organization defining the standard. Standards organizations have a huge responsibility to not only create and foster standards but also to manage their processes in order to quickly and efficiently release these standards. In addition, they have a broader responsibility to work together to deliver a unified, complementary set of standards rather than introduce specifications that create standards fragmentation and jeopardize interoperability. The work of these organizations will have a broad impact on vendor compliance and customer acceptance. Let's take a look at the leading standards organizations that define the Web services landscape today.

The World Wide Web Consortium (W3C)
The W3C is the premier Web services standards organization. Created in October 1994, the W3C is working to develop a set of technologies in order to bring Web services to its full potential. A new development within the W3C is the creation of the Web Services Activity, which consists primarily of three working groups focused on Web services:

The Web Services Architecture Group
This working group is responsible for identifying, designing, and documenting a coherent architecture for Web services. This group is scheduled to have a working draft architecture document available by June of this year.

The XML Protocol Working Group
This working group is chartered with creating a layered system of protocols (primarily XML and SOAP). The goal of these protocols is to meet the needs of applications with simple interfaces and be extensible in order to provide the security, scalability, and robustness required for more complex application interfaces. Their public schedule called for their work to be done as of April of this year, which has come and gone.

The Web Services Description Working Group
This working group is tasked with defining a standardized way to define Web services interfaces. It will review the scope of the WSDL 1.1 specification as part of the interface component design task. In fact, the group is chartered with making only agreed-upon improvements to the WSDL 1.1 specification, rather than arbitrary changes. They are scheduled to have a draft document in June of this year.

This group is a welcome and necessary addition. The W3C has been under criticism for the lack of movement of the WSDL specification and specifically for not having a working group assigned to this area.

Organization for the Advancement of Structured Information Systems
OASIS is a nonprofit consortium founded in 1993 and dedicated to the promotion of open specifications for the interchange of structured data. OASIS is driving several key Web services standards in the areas of security, transactions, and interactive Web services, in addition to sponsoring the ebXML specifications.

Interactive Web services is a relatively new area driven, at least in part, by the portal industry. Interactive Web services typically involve a person interacting with a Web service in some capacity. OASIS has two working groups actively working in this area, WSIA and WSRP.

Web Services for Interactive Applications
WSIA is chartered with creating an XML- and Web services-centric component model for interactive Web applications. This group is driven, at least in part, by the predecessor specification WSXL (Web Services Experience Language) and earlier work by Epicentric and divine. The two main goals of WSIA are to:

• Enable businesses to distribute Web applications through multiple revenue channels
• Enable new services or applications to be created by leveraging existing applications across the Web.

Both of these groups are early in their work and neither had generated a draft specification as of the writing of this article.

UDDI.org
A group of companies identified on the www.uddi.org Web site is developing a set of open specifications for a service registry. Their goal is to create a platform-independent, open framework for describing services, discovering businesses, and integrating business services using the Internet. At some point, hopefully in the near future, this work will most likely be incorporated into the work of the W3C.

BPMI.org
The Business Process Management Initiative (BPMI) is a group formed to define a standard way to model business processes. Its goal is to promote and develop the use of Business Process Management (BPM) through the establishment of standards for process design, deployment, execution, maintenance, and optimization.

Currently this area is fairly fluid, with Microsoft, BEA, Sun, and OASIS all active in this space. IBM, which authored the Web Services Flow Language (WSFL) specification, is also a member of BPMI.org.

Web Services Interoperability Organization
WS-I is a relatively new organization committed to promoting interoperability among Web services. The group was formed in early February in an effort to create testing tools and standard documentation to enable competing vendors to ensure compatibility between Web services regardless of vendor or implementation. The documentation is planned to include a set of Web services profiles to assist organizations with the adoption of and support for key Web services standards. The WS-I has set a third-quarter release time for the first set of industry recommendations and example applications.

The WS-I hasn't evolved without its share of controversy. First, there is the noticeable absence of Sun from the WS-I list of members. Sun, feeling scorned for not being invited as a founder, has decided to distance itself from the WS-I at least for now.

There is additional concern that the WS-I will infringe on other organizations, specifically the W3C. I, for one, hope that the WS-I at least nudges the W3C to start cranking up their standards engine a couple more notches.

Specifications and Standards
XML, SOAP, and WSDL compose the current base standards for Web services. These specifications are widely accepted, and companies are implementing solutions based on these standards today. However, there is somewhat of a dilemma here. Vendors need time to provide implementations of these standards and get companies to accept and utilize the them in their enterprise. At the same time there are critical pieces that are missing or in need of enhancement. Balancing these aspects is a key challenge facing the standards organizations. These standards have been essentially idle lately as XML, SOAP, and WSDL have not undergone any published updates this year.

Service Description
The area of service description has been quiet recently. WSDL, while not yet a W3C Recommendation, is nonetheless in wide use. However, there has been one new specification proposed, the Web Services Endpoint Language, and with Microsoft and IBM behind it, it does merit consideration.

Web Services Endpoint Language
WSEL is an XML format for the description of nonoperational characteristics of service endpoints, like sequencing of operations, quality-of-service, cost, or security properties. These characteristics are necessary for composing Web services into larger business processes. This is a relatively new specification (developed primarily by IBM), which has made little progress since its announcement.

Service Discovery and Registration
An XML registry is an enabling infrastructure for building, deploying, and discovering Web services. The preeminent specifications for XML registries are the ebXML Registry and Repository standard and the UDDI specification. One new specification in this area is the Web Services Inspection Language jointly developed by Microsoft and IBM.

ebXML Registry and Repository
The ebXML Registry and Repository provides for both the storing and sharing of information. This is different from UDDI, which doesn't support the storing of documents. ebXML Registry and Repository version 2.0 was approved in January of this year.

UDDI
UDDI is an industry specification for description and discovery of Web services. UDDI is itself a SOAP/XML Web service designed for use by developer tools and applications. UDDI is currently in version 2.0. There is a version 3.0 in progress and security will likely figure prominently in this version. Version 3.0 is intended to be the final version before the UDDI community submits the XML business registry specification to a standards body, probably the W3C, for approval.

Web Services Inspection Language
WSIL is a new specification that defines the ability to inspect a site for available services. WSIL will enable developers to easily browse Web servers for XML Web services. While this may seem orthogonal to the aforementioned UDDI, WS-Inspection complements UDDI by enabling the discovery of available services on Web sites unlisted in the UDDI registries, which defines most Web sites offering Web services today.

Security
Security is a crucial piece of Web services architecture that has been intentionally lacking from early specification efforts such as SOAP, WSDL, and UDDI. Security is frequently cited by companies as the most critical piece missing from the Web services story and has been an area of high activity so far this year.

The W3C is developing a set of security specifications that are crucial to public acceptance of Web services. These include XML Signature, a standard for digital signatures that is now a Recommendation; XML Encryption (a Candidate Recommendation), a set of standards for encrypting and decrypting XML documents and data; and XML Key Management (a Working Draft), which enables retrieval of key information from a Web service.

Security Assertion Markup Language
OASIS is developing an XML-based security standard for exchanging authentication and authorization information. The Security Assertion Markup Language (SAML) currently has a great deal of momentum, and there are several implementations available in a number of products including those from Netegrity and Systinet.

WS-Security
Once again industry giants IBM and Microsoft have taken the initiative in driving Web services standards, this time in the area of security. WS-Security was a joint announcement by Microsoft, VeriSign, and IBM. WS-Security defines a set of SOAP extensions and describes how to exchange secure and signed messages in a Web-services environment. Microsoft has stated that this work will be delivered to a standards organization, but no specifics were provided. In addition, Microsoft and IBM announced plans to deliver other security specifications. In particular, six specifications have been identified.

WS-Policy, WS-Trust, and WS-Privacy
The first three specifications address security policies: WS-Policy will define how to express the capabilities and constraints of security policies; WS-Trust will describe the model for establishing both direct and brokered trust relationships (including third parties and intermediaries); and WS-Privacy will define how Web services state and implement privacy practices.

WS-Secure Conversation, WS-Federation, and WS-Authorization
The last three specifications involve the sending and receiving of messages between Web services. WS-Secure Conversation will describe how to manage and authenticate message exchanges between parties, including security context exchange and establishing and deriving session keys; WS-Federation will describe how to manage and broker trust relationships in a heterogeneous federated environment, including support for federated identities; and WS-Authorization will define how Web services manage authorization data and policies.

Resource Provisioning
Resource provisioning is software that enterprises can use to centralize and manage the process of supplying - or provisioning - users with access to corporate systems and data. The challenge of resource provisioning only becomes more complex when you consider emerging B2B scenarios, in which a user might come into a system from outside the firewall. Even more complex are emerging Web services architectures, where not only users but also other bits of code may need access to corporate systems as part of a composite application.

Service Provisioning Markup Language
Emerging to address this problem of distributed provisioning is the OASIS standards group, which last year convened a new Provisioning Services Technical Committee. The group is defining an XML-based framework for exchanging user, resource, and service-provisioning information, dubbed Service Provisioning Markup Language (SPML). A major goal of the group is to define the way provisioning works in a Web services environment.

Data Access
Quick and easy access to data is essential to Web services integration efforts. Database vendors are continuing to evolve their products based on standards such as XML Schema, XML, XSLT, and XPath. Two areas that have been getting increased interest are the XML Query and SQLX specifications.

XML Query
XML Query or XQuery is a W3C specification that provides a vendor-independent method for query and retrieval of XML data. A key component of XML Query is XPath, another W3C specification. The data model that XQuery uses is based on that of XPath and defines each XML document as a tree of nodes. XML Query has been moving through the W3C rather slowly. There have been a total of eight working drafts delivered to date, but the main document was last issued in December of last year.

SQLX
SQLX defines SQL mappings to XML, as well as mappings from XML to SQL. The intent is to integrate XML and SQL and to make the SQL language capable of handling XML data and making XML extensions, or XPath expressions, part of the SQL language. SQLX is sometimes also referred to as SQL/XML.

Conclusion
This has been a relatively quick tour of the standards landscape. The good news is that the base Web services standards are generally agreed upon and significant work is happening in the area of security, which has been high on everyone's list of concerns. The concern is that most of the early work was accomplished during a period when there was a comparatively small core of companies driving the specifications. This is certainly not the case anymore, and many of the big players will not be content to follow only Microsoft's and IBM's lead in the Web services space.

Noticeably missing from this article were new developments in other areas such as transactions and business process management. It's not to say that work isn't occurring in these and other areas, but it hasn't led to new public specifications. For now, beyond the core, established standards of XML and SOAP, Web services is somewhat of a mixture of unofficial standards, such as WSDL and UDDI, and vendor-specific implementations of prominent specifications such as SAML, WSFL, XLang, and ebXML.

Web services is here for the foreseeable future. Let's hope that the standards process will proceed in an efficient manner and continue to produce great standards and that the vendors will abide by these standards and provide great implementations. There is still a great deal of work to be done but the potential payoff is huge.

Author Bio
Greg Heidel is an independent consultant in Web services. His experience includes architecting and designing systems on both the J2EE and .NET platforms and researching the future directions of Web service technologies. greg@distripute.com