by Christopher Koch

The Battle for Web Services Standards

Oct 01, 200321 mins
Web Development

It’s already a given: Your company is going to waste money on Web services.

Research company Gartner predicts American business is going to squander $1 billion on misguided Web services projects by 2007. Exactly how much of that will come out of your pocket depends in part on how many confusing, overlapping Web services standards emerge in the next few years.

Right now, it looks like there’s going to be a lot of them.

The Web services standards process began to fall apart this year. No fewer than four organizations—Liberty Alliance, Oasis, W3C and WS-I—are vying to preside over the process, each with different goals, each with differing degrees of power and influence.

And two opposing camps of vendors have emerged: an uneasy alliance of IBM and Microsoft versus nearly everyone else. Both groups are busy duplicating each other’s work.

Both are proposing Web services specifications—some proprietary, some not—with unclear patent and licensing implications for CIOs. In an arena as complex as Web services, confusion is not a good thing. But right now, that’s the situation.

The Web services vision is grand: a universal set of communications protocols to enable computer systems and business processes to seek each other out over the Internet, lonely hearts style, and have deep, meaningful interactions with no human intervention. Even in today’s rudimentary state, Web services standards such as simple object access protocol, or SOAP (see “Core Web Services Standards,” Page 58, for the list of current standards), are proving to be valuable integration technologies. A Gartner survey of 110 companies found that 54 percent are already working on Web services projects or have plans to begin soon, and IDC (a sister company to CIO’s publisher) estimates that companies will do $2.2 billion worth of Web services projects in 2003 and $25 billion in 2008.

“The potential revenue impact of these standards is enormous,” says Whit Andrews, research director for Gartner. But the very size of that financial prize waiting for the winners of the Web services standards competition makes it “difficult to remain involved in a standards effort that involves your competitor,” he adds. Gartner goes so far as to predict that the alliance between IBM and Microsoft will break down by the end of this year, given that the companies are direct competitors in the application server and database markets that make the biggest use of Web services.

“That’s silly,” responds IBM spokesman Steven Eisenstadt. Steven VanRoekel, Microsoft’s director of platform strategy, says, “I couldn’t speculate on how long things will go [between Microsoft and IBM].”

And what about the users? Where are the CIOs?

Some companies have gotten involved with the standards-setting organizations, including financial services heavyweights such as Fidelity Investments and J.P. Morgan Chase, as well as some forward-thinking manufacturers such as GM and health-care giant Kaiser Permanente. But they remain the minority in organizations that, by default, are overwhelmingly dominated by vendors.

“CIOs haven’t gotten involved because it’s a big time commitment, so they say, You vendors figure it out,” says Eric Austvold, research director for AMR Research. “That’s like putting the fox in charge of the henhouse.”

If CIOs continue to stand on the sidelines, they may very well end up with no chickens, forced to choose from among multiple Web services standards that may not interoperate, may have limited life spans, and may come with fees or other onerous patent and licensing requirements.

And if so, CIOs can start ticking off their shares of that wasted $1 billion right now.

Fear of Fees

Contrary to the hype that surrounds Web services, there is no guarantee that the technology will continue to follow the path it has followed so far, which is that it is free and comes with limited restrictions.

In fact, the free model for Web services already has been tested and has just barely survived. In the spring of 2002, just as standards organization Oasis was about to ratify the specification for ebXML (electronic business using extensible markup language, designed to help companies transact business across borders and languages), IBM announced that it held patents for a piece of the specification and that it would offer it under a licensing model called Reasonable and Non-Discriminatory (RAND). If that had stood, vendors would have had the right to charge fees and apply usage restrictions to individual users of the software on a case-by-case basis. But after other contributors to the specification, including the United Nations, claimed that IBM previously had pledged that its work would be royalty-free, IBM issued a statement saying it would relinquish any rights to fees. “We were happy to clarify that we did not intend to charge a fee when we realized that some of the industry was confused,” says IBM spokesman Eisenstadt. “We had never proposed that we would charge a royalty; we were simply following the process as defined by the standards body.”

Both Eisenstadt and Microsoft’s VanRoekel say their companies will not charge royalties for the specifications that they offer to standards bodies. But both companies will continue to use RAND licensing for their specifications, which means that other restrictions could be placed on the use of the technology.

Web services needs to be free of cost and other license restrictions if the industry and its customers are to adopt them on a broad enough scale to make interoperability a reality, say standards believers. If the vision for Web services comes true, and companies use these standards as they use HTTP and HTML—that is, constantly—then royalties on Web services could become like a tollbooth for business on the Internet, chipping money out of every transaction that crosses the wires.

Worries about intellectual property led one standards organization, W3C (the World Wide Web Consortium), to adopt a policy that all specifications it ratifies into standards must be free of fees and other restrictions. In addition, companies submitting specifications for consideration as standards must declare their licensing and patent intentions up front before the standard comes to a vote.

Critics say that has driven Microsoft and IBM into the arms of another standards organization, Oasis (Organization for the Advancement of Structured Information Standards), which has less rigorous requirements regarding patent and royalty issues. “At Oasis, we do have a policy that allows for specifications to have patent claims,” says Patrick Gannon, the organization’s president and CEO. “The result is that over 90 percent of the specifications from Oasis have no royalty related to them.”

But it’s that last 10 percent that has people worried. Web services standards are like pieces in a puzzle: Most are dependent on other pieces to make a whole. If just one of the necessary pieces has royalties or restrictions attached to it, the system is not free.

Why Standards Overlap

In June 2002, a vendor coalition led by Sun Microsystems wrote a specification called WSCI (Web Services Choreography Interface, or Whiskey, in geek-speak). A few months later, IBM, Microsoft and a few other vendors offered up BPEL4WS (Business Process Execution Language for Web Services), a specification that overlapped with WSCI. W3C formed the Web Services Choreography Working Group to consider the specifications. At the first meeting, a researcher from Microsoft showed up “to determine if he wanted to join the working group,” says Microsoft’s VanRoekel.

David Chappell, Sonic Software’s chief technology evangelist and a member of the W3C working group, remembers the meeting well. He says the representative from Microsoft and one from BEA Systems “were clear that there was this other BPEL initiative, and they said, ’The wishes of both Microsoft and BEA are that the group focus on things that are complementary to BPEL and not competing,’” recalls Chappell. “The response from the group was, ’We’ll take that under advisement.’ So Microsoft said, ’We’re not going to participate.’” The Microsoft representative never returned, although BEA continued to be a part of the group. IBM does not have a representative in the group.

Microsoft’s VanRoekel says the researcher made the decision whether to join the group meeting as an individual, “independent of him being a member of the Web services group at Microsoft.” But the damage had been done. Some vendors, most notably Oracle and Sun, took it as a snub and a signal that IBM and Microsoft were going to go their own way on Web services.

Indeed, Microsoft and IBM took their BPEL specification (which each had been working on for years and had embedded into their products) to Oasis and formed a committee to begin working on a standard. Responding to complaints about potential confusion and duplication, Oasis and W3C established liaisons to coordinate work between the two groups to try to avoid overlap.

As of this writing, they’re still working at it.

Oasis Versus W3C: Titans Clash by Proxy

If there’s a driving force behind the growing competition between Oasis and W3C, it’s less the organizations themselves than it is their predominantly vendor membership. They’re split into two major camps: IBM and Microsoft on one side and Sun and (usually) Oracle on the other, with smaller vendors trailing in the wake of both. IBM and Microsoft worked together to build the first major Web services specification, SOAP, that they offered to W3C for consideration in 2000 (W3C later modified and ratified it as a standard in June 2003). In April 2001, IBM and Microsoft submitted a road map to W3C of the specifications that they believed needed to be added in and around SOAP to fill out the Web services stack, as it is known.

IBM and Microsoft have followed that road map ever since, publishing 20 different specifications for Web services. Critics say the plan is both an impressive technological vision…and a rationale for excluding other vendors—and even the standards organizations—from the process. Of the 20 specifications, only two have been submitted to any standards organization for consideration. Critics charge that the others are being held back while the two companies work to perfect them and build them into their products, thereby giving them an advantage in the market.

“If you look at the pattern of behavior that’s been established by Microsoft and IBM, it’s clear that they want to create specifications in a vacuum without input and hold them close to the vest while they develop them in their products and then release them to the standards organizations,” says Ed Julson, group manager of Web services standards and technology for Sun.

“We’ve worked together with industry partners to be sure that the standards process starts with a well-defined proposal,” responds IBM’s Eisenstadt.

When Microsoft and IBM do offer up their specifications for input, critics say, it’s usually behind closed doors rather than in the open forum of a standards meeting. Sonic’s Chappell recalls being invited to Microsoft’s headquarters in Redmond to view two Web services specifications. “IBM and Microsoft were being hammered for going off and doing their own thing,” he says, “so this was viewed as a way of opening things up.” But Chappell says he had to sign an agreement saying he would not discuss the specifications with anyone else and that anything he contributed to the development would become the intellectual property of the companies writing the specifications.

Microsoft’s VanRoekel says his company does not require visiting vendors to sign nondisclosure agreements. “You’re welcome to talk about what’s going on,” he says. But he says Microsoft does make them sign a feedback agreement that stipulates that “if you come and offer input on this technology, then that input must be made available royalty-free.” He adds that Microsoft plans to publish results of vendor feedback sessions on a public website this fall.

Critics say Microsoft and IBM’s strategy of writing specifications outside of the standards groups limits give-and-take. “It’s turning into a proxy war where Microsoft and IBM are coming up with what they feel will be the standards and shopping them around to see who will rubber-stamp them,” says an official from a standards group who requested anonymity. “If one won’t take it, they take it to the other. They’re playing W3C and Oasis off against each other.”

Last January, another conflict broke out between the two vendor camps, this time within Oasis. After a coalition of vendors led by Sun, Oracle and Sonic submitted a specification to ensure reliable delivery of messages (called Web Services Reliability) and formed a committee, Microsoft and IBM published their own specification called WSReliability, which has not yet been submitted to any standards organization.

Microsoft’s VanRoekel says his company is simply following the road map it submitted to W3C. “The reason we take this approach is to make sure the specifications are well-engineered, have a fast time to market and have something we call composability, which means they work well with the other pieces out there,” he says. “What has typically happened in the standards bodies where you design by committee is that the end product is so open for loosely interpreted implementation that you end up not having technology that will work with other pieces that have been developed out in the industry.”

End Run Around the Standards Bodies

In February 2002, Microsoft and IBM, along with seven other vendors, founded the Web Services Interoperability Organization, or WS-I (famously excluding Sun from the group’s board at first, but later allowing it to join). WS-I is not a standards organization per se, but it combines different Web services pieces in an installation-ready package. It calls these packages of Web services “profiles,” and offers tools and guidelines for installing them. The first profile, called the Basic Profile, was released last August.

“[WS-I is] a supra-standards body that ratifies which of these standards will be the baseline for Web services,” says Dan Sholler, vice president and director of technology research services at Meta Group.

The problem, critics say, is that WS-I can pick and choose the pieces it wants to include in the profiles. “With WS-I, Microsoft and IBM have set up a shadow government for standards,” charges Susy Struble, program manager of Web standards and technologies for Sun.

The first profile, for example, contains versions of SOAP and WSDL (Web services description language) that were never ratified as standards by W3C but are included in Microsoft and IBM products. But W3C has approved versions of SOAP and WSDL that have been modified from the versions contained in the WS-I profile. That means CIOs are being presented with two different versions of the core standards for Web services.

“These standards are always evolving,” says Microsoft’s VanRoekel, who is a member of the marketing committee for WS-I. “W3C ratified SOAP late in the process of putting together the first profile. [The W3C standard version] will be incorporated into the next profile.” IBM’s Eisenstadt agrees, adding, “These versions of SOAP and WSDL have the broad industry adoption that is needed.”

But what if competing standards come out of W3C and Oasis?

“Multiple proposals indicate lots of interest—it’s not evil,” says IBM’s Eisenstadt. “The market should decide which proposals are best. Interoperability is the whole point of Web services, so single standards will emerge.”

Adds VanRoekel, “WS-I will take a look at what customers are implementing and decide [which standard to include in a profile] based on that.” He encourages those with concerns about the process to join WS-I. “IBM and Microsoft aren’t the only members of WS-I,” he says. “We don’t decide what the WS-I does.”

Indeed, Microsoft and IBM are not alone in contributing to the confusion. Sun has cofounded its own standards group, Liberty Alliance, to develop a Web services standard for identity management that uses SAML (security assertion markup language), an Oasis security standard. (Microsoft and IBM have released a specification called WS-Security that, according to Sai Allavarpu, group manager of Sun One Network Identity, treads near the same turf.)

But with their combined market clout, Microsoft and IBM have the power to push their own specifications and ignore others to death. At least that’s what AMR’s Austvold predicts will happen to the WSCI business process specification now before W3C. “That’s going to be dead within 24 months,” he says.

“Can you have a standard without Microsoft’s and IBM’s participation?” asks Meta Group’s Sholler. “Yes.” But if that standard does not appear on the Windows platform, which commands upward of 95 percent of the PC market in the United States, and does not appear in IBM’s Unix and mainframe platforms, will anyone use it? he asks.

Why Can’t We All Just Get Along?

Microsoft and IBM have invested a good deal of marketing money—and a lot of good technology—into Web services to build the perception in the market that they are making it happen. Other vendors want their customers to think the same of them.

“I am not sanguine about there being a successful outcome for Web services because it looks to me like there is an increasing likelihood of fragmentation and confusion in the market rather than a convergence,” says Don Deutsch, vice president of standards strategy and architecture for Oracle. “We go into a standards endeavor with the objective of defining things of common interest that will create a new market, or improve an existing market, so we can all compete on price and performance. If there are some members who don’t believe they can participate on an equal basis, then historically the competition begins and fragmentation begins. That confuses customers, and when customers are confused, they don’t buy because they don’t know what to buy.”

Ironically, if the alliance between IBM and Microsoft breaks down, things could get even worse. If the two leading vendors in Web services were to begin sending competing specifications to the different standards organizations for approval, forget about attaining a single set of interoperable standards soon, if ever. Regardless of what happens between IBM and Microsoft, however, as long as vendors remain split and standards organizations continue to allow conflicting work inside their organizations, the Web services standards movement will continue to be disrupted by confusion, delay and the possibility of duplicate, conflicting standards emerging. For CIOs, that could translate into slow, expensive, dead-end projects at a time when Web services could be saving them time and money in a tough economy.

“One of the things that would be nice is if this alphabet soup of standards groups would get together and say we’re all about delivering a single standard,” says Dave Watson, vice president and CTO of Kaiser Permanente, which is active in WS-I. “I’d love to get everyone to say there’s one set of standards and collapse at least four different discussions into one and keep overt agendas at the door, because you don’t serve customers that way. But [unfortunately] the agendas that form these groups [don’t allow that]. Dig deep enough into the woodpiles of these standards organizations, and you’ll always find a vendor as the mommy or daddy.”

The Business of Standards Is Business

If there is a force that can keep the Web services standards movement from blowing up, it is CIOs. But few CIOs have the interest or resources to participate in the different standards organizations. About 30 percent of Oasis’s membership comes from user companies, according to Gannon, though the number of user members who are active members of the different technical committees is much smaller. The number of members in each of W3C’s four different Web services working groups who do not sell or service technology does not rise above 10 percent, and in most cases can be counted on one hand (most of the groups have about 50 members). At WS-I, the user company membership is less than 10 percent. Liberty Alliance’s user membership is just under 30 percent.

“The structure of these groups is backward,” says AMR’s Austvold. “The users should be the ones creating the standards, and the vendors [should be] adopting them. Right now, users have to take what the vendors feed them.”

Besides the obvious bandwidth issues, many CIOs say that with the shift to packaged software in their organizations, they don’t have the technical expertise to contribute much to standards organizations. But in fact, that’s not where CIOs are most needed, says Sun’s Struble: “CIOs should be involved in the early requirements phase, the part where we define what we want the standard to do.”

Indeed, those CIOs who have gotten involved in standards organizations have done so to make sure that what emerges is right for their businesses. “We can put our requirements on the table and have a dialogue,” says Andrew Comas, who, as vice president of technology, is J.P. Morgan Chase’s representative at WS-I. “If I’m not at the table, then I’m having the vendors say what’s best for us.”

The companies that are involved connect the work they do in the standards organizations to their core businesses. J.P. Morgan Chase and Fidelity Investments are concerned about the speed of online transactions and the quality of products presented to customers over the Internet. Kaiser Permanente cares about the movement of online health-care transactions standards known as HL7 from EDI to a Web services model. For GM, the issue is the OnStar communications network it’s building into its cars and trucks.

But the link between Web services standards and business goes even deeper for these companies. The sooner they know where the standards are going, the sooner they can begin shaping their architecture to take advantage of Web services faster than their competitors can.

“We take these public standards and add in our own standards and pass that down into the organization,” says Adrian Kunzle, who is cohead of the architecture group at J.P. Morgan Chase’s investment banking division. “Our participation in standards groups comes from the fact that we’re up front about creating an architecture strategy for our organization. We want to understand where they are going early so we can plan.”

Of course, the commitment required to participate in the development of technical standards is considerable. These efforts can go on for years. “On a topic you’re interested in, it’s easily a couple of hours a week,” says Bill Stangel, enterprise architect for Fidelity. He says Fidelity has a dozen or so staffers involved part-time with various technical committees in standards organizations. Other companies have similar stories: part-time participation of anywhere from six to 10 staffers. Not a bad investment, they say, considering the insight it gives them.

“Without awareness of what’s going on with standards, it’s game over,” says Tony Scott, CTO for GM, which is actively involved in Liberty Alliance. “That awareness allows my organization to provide guidance to the wider IT organization inside GM about where they should be placing investment. What’s emerging, what’s changing, what’s obsolete.”

For companies that cannot afford to get involved directly, Scott recommends they try to exert influence with their vendors. “We have a lot of clout, obviously,” says Scott. “We actively engage the R&D community in areas that we think are important. If we start asking a lot of questions about a particular technology or standard, they get the message.”

Finally, say these technology executives, it’s important to vote for standards and interoperability with your checkbook. “The theme of interoperability is not going to go away,” says Kaiser Permanente’s Watson, saying he wouldn’t buy a product if it “complicated the interoperability issue.”

Standards are inextricably linked to the future of business through the Internet. That they are floundering today means business will flounder tomorrow.

“Standards are the basis of competition going forward,” says GM’s Scott. “It’s not just your ability to make and sell that matters anymore. We used to have a 48-month product development cycle; now we’re down to 18 months, and we’re trying to get to a year. When you have that kind of rapid change, you have to have architectures and standards and interoperability. If you can set the standard or drive the standard, that enables you to get to market faster and have a broader market than might have ever been the case prior to today. Think of standards as an accelerator to your business.”

But you can’t affect those standards if you don’t get involved, says Kaiser Permanente’s Watson. “If you need what this standards activity is producing and you choose not to play at some level,” he says, “then you can’t complain about the product you receive.”