SOAP, Other Protocols Specify Security for XML

Computerworld - Microsoft's Simple Object Access Protocol (SOAP) has garnered a lot of attention, especially since it was submitted to the W3C as a possible standard for XML-based communication among object-oriented applications.

	DEFINITION
	SOAP An XML-based protocol that passes messages from one software component to another across the Internet, using HTTP, SMTP and other standard protocols.

SOAP authors, including Microsoft and IBM, addressed that lack of information in February, submitting a new set of SOAP security specifications to the W3C.

Based on XML, SOAP is used in middleware for communication among information systems built on different technologies.

Version 1.1 of the specification, announced in April of last year, let SOAP messages, which are based on HTML, sail freely through most firewalls. That gave legitimate business partners free entry to remotely activate code and exchange information. But it also extended the same welcome mat to hackers, said James Kobielus, an analyst at Midvale, Utah-based The Burton Group Inc.

The February extension to SOAP proposes a way to use the XML digital signature syntax to sign and authenticate SOAP 1.1 messages.

It also proposes definition of an extensible name space for adding to the SOAP header further security features, such as biometric signatures and XML encryption, as standards become available.

The W3C has appointed a working group to develop an open standard protocol similar to SOAP called XML-Protocol.

Although the SOAP specification is maturing, applications that require stringent security, such as securities trading, continue to use stronger protocols, such as electronic-business XML (ebXML).

That specification is a collaborative effort of an IBM-led consortium, the Organization for the Advancement of Structured Information Standards (OASIS), and the United Nations. That group is working on standards for authorization and access control, said Robert Sutor, IBM's director of e-business standards strategy.

Emerging in the next few months will be a road map to XML security, but "it will take coordination among the W3C, OASIS and other organizations in a way we haven't seen before," Sutor said.

—Sami Lais