Microsoft Corp. and IBM, which, along with VeriSign Inc., published the original Web Services-Security specification, are now in two camps that have contrasting views over what should be done with the specification, also known as WS-Security. [eWeek]
Microsoft and IBM disagreeing? Ah, the world is coming back to normal. Maybe the stock market will bounce back now, too.
Seriously, though, there is something missing from the WS-Security spec, as I see it. When I want to access a web service secured via WS-Security, I have no way of knowing that it uses WS-Security, and even if I do, I don’t necessarily know what type of credentials I need to supply (username/password, certificate, etc.), and I don’t know if I am required to encrypt and/or sign the message. Perhaps this information should be published as WSDL extensions. The article referenced mentions IBM wants encryption-related WSDL extensions, but doesn’t go into any more details.