Thankfully, the myth that Web services standards begin and end with SOAP, WSDL, and UDDI is fast dissolving. Most developers now appreciate that mission-critical Web services must also extend to include standards in security, resource management, remote application access, choreography, semantics, and much more.

A number of consortia and industry groups are defining the expanding scope of Web services standards. The two major standards-setting bodies for Web services are the World Wide Web Consortium (W3C), and the Organization for the Advancement of Structured Information Standards (OASIS). (WS-I, the Web Services Interoperability Organization, does not develop standards; its mission is to provide guidance, best practices, and resources for developing solutions. WS-I's deliverables [profile definitions, testing tools and sample applications] are based on the standards developed by OASIS and W3C.)

OASIS and W3C maintain close ties with one another. Sharing many of the same members, the groups acknowledge that Web services standards are far too broad for any one organization to own, and they work hard to avoid overlap or duplication of effort. Nevertheless, their approaches are substantially different.

The OASIS technical process lets members take the lead, identifying needs based on their own technology and domain expertise and forming technical committees to address those needs. The membership is a rich mixture of software vendors, end-user companies, governmental agencies, industry associations, educational institutions, and individuals.

There are two levels of approved work at OASIS. The first, OASIS Committee Specifications, refers to work that is approved by members of an OASIS Technical Committee. The second, OASIS Open Standards, signifies work that has been approved by the committee members, proven in at least three real-world implementations, passed a 30-day public review, and ratified by the OASIS membership-at-large.

The Security Assertion Markup Language (SAML) has achieved OASIS Open Standard status as an XML-based framework for Web services that allows the exchange of authentication and authorization information among business partners. SAML enables Web-based security interoperability functions, such as single sign-on, across sites hosted by multiple companies. It is an important industry standard for federating diverse security domains across Web services environments and incorporates industry-standard protocols and messaging frameworks from W3C, such as XML Signature, XML Encryption, and SOAP. Most vendors of Web access management solutions have committed to SAML and are implementing the specification in their products.

The WS-Security specification provides a foundation for secure Web services, laying the groundwork for higher-level facilities such as federation, policy, and trust. WS-Security defines a standard set of SOAP extensions, or message headers, that can be used to implement integrity and confidentiality in applications. It is one of the first Web services standards to support, integrate, and unify multiple security models, mechanisms, and technologies, allowing a variety of systems to interoperate in a platform- and language-neutral manner.

The widespread need for the integration of systems and network management tools is causing the industry to take a more holistic approach to the management of networks - and Web services provide the ideal vehicle for making that happen. OASIS is developing a protocol that will enable businesses to manage their own Web services and oversee their interaction with services offered by other companies. The OASIS Management Protocol is being designed to manage desktops, services, and networks across an enterprise or Internet environment, allowing companies to manage systems regardless of the platform they use.

Web Services for Interactive Applications (WSIA) provides interactive application access through a coordinated set of XML vocabularies and Web services interfaces that allow companies to deliver Web applications to end users through a variety of channels - directly to a browser, indirectly through a portal, or embedded into a third-party Web application. It will enable any Web application - a package tracker, a calendar application, a stock quote - to be delivered and displayed to an end user as a Web service, regardless of the underlying Web platform, vendor-specific application format, or display device. With WSIA, companies will be free to syndicate their applications across different portals and Web site platforms without being limited by proprietary products. They will be able to dynamically share Web services without the time and labor of creating multiple vendor-specific connectors written to different Web languages.

Many continue to define Web services against a checklist of standards that is much too short. In reality, more than 50 different specifications are under development within OASIS alone, and most of these relate to Web services to some degree.

From foundational standards such as UDDI, to intermediary specifications such as Web Services for Remote Portals (WSRP) and Business Transaction Protocol (BTP), from traditional technologies such as Public Key Infrastructure (PKI), to broad solutions such as ebXML, OASIS standards go beyond the bare-bones definition proposed by many tunnel visionaries. Indeed, mission-critical Web services standards require interoperability on a much grander scale.