Last fall, Mountain View, Calif.-based VeriSign Inc. launched a campaign to build the XML Key Management Specification (XKMS), which CEO Stratton Sclavos touted as the Holy Grail of key interoperability for public-key infrastructure (PKI). Sun Microsystems Inc., IBM, Microsoft Corp. and other vendors quickly jumped on the bandwagon as co-authors.
But IT managers are approaching these developments with caution.
"XKMS builds on top of SOAP [Simple Object Access Protocol] and WSDL [Web Services Description Language], and is supposed to simplify all this sort of stuff by making key negotiation, digital signature, verification and authentication done within the context of XML messages," says Dan Moniz, a research scientist at OpenCola Ltd., a peer-to-peer application developer in Toronto.
Except for the fact that all this data is processed in XML instead of binary, Moniz doesn't see much difference between XKMS and how security is done today: for example, certificate revocation list, back-end Secure Sockets Layer tool kits or buying certificates from VeriSign.
But common formats are good, he says, and could eventually ease interoperability issues now holding back the widespread adoption of PKI.
"If you want to automate the process of checking the validity of a document, it's good to use a standard format," says Lorrie Cranor, principal technical staff member at AT&T Labs in Florham Park, N.J. And encoding in XML is simple, says Judy Lin, senior vice president of product development at VeriSign.
The dicey part will be making sense of all these new standards coming out, says John Goeller, director of Credit Swiss First Boston Next Group, the e-commerce unit of Credit Swiss First Boston, and director of an International Standards Organization working group on XML interoperability for the securities industry.
For now, XML encryption and authentication is mostly acronym soup that falls under a single working title called SAML, for Security Authentication Markup Language. SAML is a unifying XML security standard for exchanging authentication and authorization information that will interoperate with other XML security standards and protocols in the works. Hurwitz Group Inc. security analyst Pete Lindstrom says SAML will operate like a "CredEx" -- real-time credential delivery, anytime, anyplace.
The hope is that SAML will interoperate with and therefore unify the following XML security standards in the works:
- XKMS
- XML Signature
- XML Encryption
- XML Protocol
- BEEP (Blocks Extensible Exchange Protocol Core)
- ebXML (electronic business framework XML)
- Shibboleth (support for interinstitutional authentication and authorization for access to Web pages)
- DSML (Directory Services Markup Language)
- XACML (Extensible Access Control Markup Language)
In addition, Securant Technologies Inc. in San Francisco has developed the standard AuthXML, an open industry standard for interoperable authentication and authorization tools that track credentials through Web-based transactions.
Security Risk and Reward
Stories in this report:
- Want to Save Some Money? Automate Password Resets
- Knowldge Quest
- Companies Need Security Pros With More Varied Skills
- Finding Answers
- The Enemy Within
- The Threat of XML
- SOAP, Other Protocols Specify Security for XML
- The Problem With Power
- Top 10 Security Mistakes
- Playing By Europe's Rules
- False Alarm?
- An Ounce of Intrusion Prevention
- Deadly Pursuit
- IDS Products and Prices
- Should You Outsource IDS?
- Who He Is
- Manager Offers Primer On Computer Forensics
- Unlocking Secure Online Commerce
- Too Late For Digital Certificates?
- Giving Users Back Their Privacy
- Feeling Safe With IT Security Deals
- Finjan's Software Bolcks Active Content Threat
- Security Statistics
- The Guardian
- Congress Considers Slew of Bills That Will Affect IT, E-Commerce
- U.S. Legislators Ponder Masses of Bills; Outlook Remains Murky
- Rule Changes May Further Protect Company Security Data
- Getting Started in Computer Forensics
- PKI Carries the Mail for U.S. Postal Service
- Security by Syntax