[rights] [news] STANDARDS BODIES SEEK TO RECONCILE WEB SERVICESSECURITY

[John Erickson <john_erickson@hplb.hpl.hp.com>]

STANDARDS BODIES SEEK TO RECONCILE WEB SERVICES SECURITY
By Shawna McAlearney

Seeking common ground for the implementation of Web security standards, the
Organization for the Advancement of Structured Information Standards (OASIS) and
the World Wide Web Consortium (W3C) took a small step forward Monday to
reconcile differences in integration and resource allocation.

"We are looking at ways in which we can maximize the consistency across the
standards," says Phillip Hallam-Baker, a Web services security architect at
VeriSign. "The whole industry realizes the potential of Web services, but
without trust and security Web services are dead on arrival."

According to Hallam-Baker, the W3C and OASIS working groups are addressing
different levels of security infrastructure and the specifications are
complementary, rather than competitive.

The key standards under W3C include XML Encryption, XML Signature and eXtensible
Key Management Specification (XKMS). OASIS's key standards include eXtensible
Rights Markup Language (XrML); WS-Security; Security Assertion Markup Language
(SAML); and eXtensible Access Control Markup Language (XACML).

"For example XKMS and SAML both define a mechanism for authenticating SOAP
messages," says Hallam-Baker. "WS-Security is a level higher, encompassing our
experience with XKMS and SAML and providing a framework for applying standards
to authenticate and encrypt any type of Web services message. One specification
takes off where the other ends."
http://www.oasis-open.org/presentations/security.shtml

| John S. Erickson, Ph.D.
| Hewlett-Packard Laboratories
| PO Box 1158, Norwich, Vermont USA 05055
| 802-649-1683 (vox) 802-371-9796 (cell) 802-649-1695 (fax)
| john_erickson@hpl.hp.com         AIM/YIM/MSN: olyerickson