Web services ready for third wave
- By Joab Jackson
- Jun 06, 2004
Joseph Chiusano, Web Services Activist
At meetings of the CIO Council's XML Working Group and other Extensible Markup Language discussions around Washington, Joseph Chiusano is a familiar figure.
He asks probing questions and makes observations about how the government can benefit from XML and accompanying Web services.
Chiusano, an associate at Booz Allen Hamilton Inc. of McLean, Va., has considerable experience helping agencies grapple with XML and Web services. He provides guidance to the Defense Information Systems Agency's Network-Centric Enterprise Services initiative.
He is on a steering committee for the Justice Department's Global Justice XML Data Model standard, which will help Justice exchange information with local and state public-safety organizations.
He helped design the systems architecture and data translation functions for the Environmental Protection Agency's Central Data Exchange. And he has advised CIOs at the Health and Human Services Department and the Navy about XML.
Chuisano is on several technical committees of the Organization for the Advancement of Structured Information Standards.
Chiusano has a bachelor's degree in information processing systems from Rutgers University and a master's in operations research from George Washington University.
GCN associate editor Joab Jackson interviewed Chiusano in Washington. GCN: What can agencies expect to get out of Web services if they spend the time and money to implement them?
CHIUSANO: Web services can help agencies with budget constraints. They enable the sharing of services among multiple organizations. Agencies do not have to reinvent the wheel. They can use a service that has already been created and is being used by another agency or group of agencies.
Web services can also get more mileage out of agencies' legacy systems. They don't have to replace them because Web services can integrate the legacy systems with many other applications.
When service implementations are transparent to other services, it means that solutions can be commoditized. Perhaps a vendor goes out of business or maintenance becomes too costly. An agency could switch vendors of a given service with little impact to the rest of the system. That can lower costs for agencies.
Web services also let us communicate over an existing infrastructure'the Web. We don't have to set up private networks. It lets us represent information using a standard language: Extensible Markup Language.GCN: Doesn't an XML transmission carry a lot of overhead?
CHIUSANO: Absolutely. When you compare XML with mechanisms such as flat files, which do not carry tags, the difference is like black and white.
You do need to take into account the file sizes when you use XML.
Say a trading partner is providing you with information for a given month. You might need to ask the partner to send it to you week by week rather than by the month.
On the flip side, as bandwidth availability increases, this will be less and less of a problem.
Part of the art of designing an architecture is determining how fine-grained you can go with certain functionality.
If I have a function, say a logging function, and a large number of participants are going to invoke this function on a second-by-second basis, I would have to examine carefully whether that function should be a Web service.GCN: Where do agencies stand in terms of adopting Web services?
CHIUSANO: It would be difficult to gauge the level of adoption in the federal government today. I know there are many efforts going on at the department level. And we're seeing advancement of some important standards'such as Web Services Security'that the current adoption level will accelerate.
With WSS, Web services can go beyond firewalls to form interagency collaborations.GCN: What is the difference between WSS and the Security Assertion Markup Language standard?
CHIUSANO: A SAML token can be placed in a WSS header. SAML defines an XML framework for exchanging security information in the form of assertions. So you can capture the authentication actions and provide a token to downstream processes that says, 'I am John Smith, and I was authenticated by XYZ.'
SAML does not require use of WSS, but WSS makes it easier because it has a standard mechanism to represent security information.
Booz Allen is using SAML in the Defense Department's Network-Centric Enterprise Services.
Down the road, we'll see other types of tokens, such as tokens for biometric information. There's a working draft for representing biometric tokens in WSS, called the XML Common Biometric Format, or XCBF.
A person's biometric information can be placed in a WSS header and used to authenticate that person to another Web service.GCN: Why are there so many Web services standards?
CHIUSANO: Each time we adopt a new Web services standard, we lay a foundation for other capabilities. We're laying standards on top of standards. The higher the stack gets, the more interoperable we become.
I believe we are in the midst of a second wave of what I call the four waves of Web services standards.
The first wave is what I call the foundational wave'the basics such as the Simple Object Access Protocol and Web Services Definition Language. They are mature and are being used ubiquitously.
The second wave is what I call the advanced wave. It's where we begin seeing advances in such areas as security.
SAML has been standard of the Organization for the Advancement of Structured Information Standards for some time. It also covers Web services choreography, which means observing the behaviors of individual Web services and how they are used in concert. It provides a foundation for Web Service Business Process Execution Language, which is used [to set up] Web services' business processes.
A business process is a specification of a series of activities that work in concert with one another.
The third phase is what I call the semantic wave. The semantic Web really began with the Resource Description Framework and the Web Ontology Language, which became World Wide Web Consortium recommendations in February. Semantic technologies will build a foundation for more dynamic interactions among Web services.
The fourth wave is what I call the advanced semantic wave. I believe we are several years away from that. We will see an incorporation of semantic technologies into the standards that were part of waves 1 and 2, either as updates or as bindings.
So we may see things such as security policies expressed using semantic technologies, so they could be interpreted more easily by systems.
In discovering what Web services are available, [software] agents might use the policies of Web services as criteria for choosing them. For instance, an agent might look for a Web service that requires a certain level of bandwidth. This ability will be very powerful.GCN: Should agencies get more involved in standards groups such as OASIS?
CHIUSANO: OMB Circular A-119, Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment, speaks to the need of agencies to have a voice in the development and advancement of standards.
By participating, the government can voice its unique needs to the technical committees. OASIS does have a good amount of federal representation on various committees. WSS and the E-Government technical committee are two examples.GCN: How much time does it take to be involved on a standards committee?
CHIUSANO: It depends on how much you want to involve yourself. There are some technical committees I put much more time into because of the importance of a particular specification or standard. There are some where I participate in all the calls but am not involved in creating technical notes or writing the standards themselves.
A lot of this activity is educational. I tell people that even if they have to get involved on a technical committee on their own time, it is a wonderful learning experience.
A large part of what I do at Booz Allen involves open standards. I have provided guidance to various projects to help ensure their architecture is in line not only with the current open standards but also with the emerging state of standards.
If a certain standard is not getting enough traction'if there are not enough vendor products to demand a standard'then it may not be worth adopting.