Web security standards no easy task
- By Paul Korzeniowski
- Mar 09, 2003
Computing technology has moved in waves, starting with mainframes, moving to PCs and client/server models and then to the Web. With each of these transitions came a need to rewrite underlying security protocols so they can operate in new
With Extensible Markup Language serving as the foundation for the next wave — collectively referred to as Web services — there comes the requirement to add security functions to the markup language. Because this new
computing paradigm focuses on the
complex interplay of hardware, software and networking, a number of standards groups are involved in the process, including the Internet Engineering Task Force (IETF), the World Wide Web Consortium (W3C) and the Organization for the Advancement of Structured Information
These groups have devised more than a dozen security protocols that will play
a role in delivering Web services. Here
are brief descriptions of the specifications, the roles they will play in electronic
transactions and the groups responsible for them.
* Security Assertion Markup Language helps users and computers authenticate and authorize information exchanges.
* Extensible Access Control Markup Language is a specification for expressing policies for information access.
* Service Provisioning Markup Language defines how to exchange user, resource and service provisioning information.
* Web Services Security adds XML security protocols to Simple Object Access Protocol.
* Extensible Rights Markup Language manages copyrights for digital content.
* XML Common Biometric Format
defines an XML version of the Common Biometric Exchange File Format.
* XML Digital Signature provides integrity, signature assurance and nonrepudiation of various transactions.
* XML Encryption encrypts and decrypts digital content.
* XML Key Management Specification
provides a method for obtaining cryptographic keys.
* Transport Layer Security builds on
Secure Sockets Layer to secure Internet traffic between two points.
* Simple Authentication and Security Layer adds authentication to connection-based protocols.
* Kerberos provides tickets for authenticating users.
* Blocks Extensible Exchange Protocol helps establish quality of service over the Internet.