The World Wide Web Consortium (W3C) and OASIS -- two bodies building critical Web services and security standards -- held a public forum this week to better coordinate their work in this crucial area.

While the meeting was mainly informational in nature (slides and other info can be found here), the symbolism of the effort was not lost. The two standard bodies are wrestling with how to avoid overlap while also coordinating their efforts to ensure key Web and XML specifications remain interoperable.

The W3C has created core Web standards ranging from HTML to XML, as well as Web services security standards such as XML-Encryption and XML-Signatures. It has also formed a Web Services Architecture group to guide the big picture deployment of these new, more distributed services architectures.

OASIS, meanwhile, was first known for its work on the global e-business standard ebXML but has come on particularly strong in the world of Web services and especially XML security. It now runs six technical committees looking at Web services security, including technologies for authentication, access control, provisioning, biometrics, digital rights, and overall Web services security.

"What we had intended when we organized this was to review the current state of security standards, where they fit together and figure out the missing pieces," said Karl Best, OASIS director of technical operations. "What we discovered was that what people were most concerned about is that we need to work on the interoperability of existing specifications rather than work on new pieces."

The W3C and OASIS already work together at an informal level -- and it's important to note that OASIS is actually a W3C member. Overall, the W3C looks to be best at developing infrastructure-level specifications, especially those that affect the World Wide Web. OASIS works a level up, focusing on e-business and increasingly business-driven Web services and security applications that in many cases consume W3C specs.

"The level of coordination at informal levels is the way that most work ends up getting done," said Janet Daley, W3C spokesperson and the co-chair of this week's security forum. "[For the W3C], what's most important is to try to [forward] a broad-picture architectural model that doesn't forget the 'Web' in Web services," she said.

Yet although the groups have common goals, particularly a renewed emphasis on interoperability, the two go about their jobs in very different ways. The impact of those different approaches is still being sorted out -- and can be a sensitive topic among backers of each organization.

This has come to light especially in the area of Web services security. Depending who you ask, at least some of the work that ultimately ended up in the WS-Security specification -- now moving on a standards track at OASIS -- began at the W3C. Clearly, the W3C saw some of the technology directions that WS-Security defines as within its realm of influence.

But when it came time for WS-Security creators IBM, Microsoft, and VeriSign to take their work and place it in a standards body, it chose OASIS.

OASIS CEO Patrick Gannon said his body is the perfect place for such business-driven specifications. "What OASIS is really about is taking the core standards, things like SOAP and digital signatures, and applying them to business needs."

At the same time, the W3C's more rigorous processes -- with plenty of public discussions, drafts and re-drafts -- may not always appeal when commercial vendors are leading a standards process, said the W3C's Daly. Not to mention the fact that, at least for now, the W3C demands only royalty-free technical submissions while OASIS members can -- if they are clear and open about it, OASIS' Gannon stresses -- build specifications with technologies that ultimately may draw license fees.

"It is easier for that first draft to be written with your friends," said the W3C's Daly. "You can write them to your own needs rather than think of a more heterogeneous set of needs. You don't have to work with the whole room."

While admitting that the two group's "differences in processes can provide a challenge," the W3C's Daly said the two standards bodies have a strong work relationship and definitely do not want their work to overlap. Resources are too precious for that. "There's not need to reinvent the wheel," Daly said. "As long as [the work at OASIS] is sound and fits the model of Web architecture, more power to them to get the work done."

In the end, neither group "controls" the work that gets done or which standard body does it -- both are driven by their members. "I don't know if we'll ever see a firm, hard line established" for what work fits OASIS and what work fits the W3C, not to mention other standards bodies like the IETF, said OASIS' Best. "My sense of the marketplace is that it's really kind of futile for organizations to draw very heavy lines of 'we only do this and you only do that. We're member driven, we'll do the work that our members submit."

With that said, OASIS' Gannon said his group and the W3C will -- driven by member feedback -- look for new areas where they can better coordinate their efforts. One candidate might be UDDI, which OASIS recently picked up, but which must work closely with W3C-driven technologies like WSDL, or Web Services Description Language. Another area is Web messaging, and the intersection of SOAP and ebXML, he said. Not to mention that the two group's security efforts will continue to feed off one another.

"Clearly what we've tried to do this week is reinforce the openness and cooperative spirit between the two groups," Gannon said.