VeriSign Trust Service Integration Kit (TSIK)

VeriSign Offers Open Source WS-Security Implementation and Integration Toolkit

Helps Developers Integrate Security Into Web Services

Effort Continues VeriSign's Commitment to Driving Trusted Web Services With Royalty-Free Implementation

Mountain View, CA, USA. December 10, 2002.

Furthering its commitment to trusted Web services, VeriSign, Inc., the leading provider of digital trust services, announced today the royalty free availability of technology that will allow companies to integrate digital signatures and encryption into Web services.

Based on the recently announced WS-Security specification and Addendum, which was co-written by IBM, Microsoft, and VeriSign, this implementation provides enterprises, software developers and systems integrators with code they can use to achieve higher levels of trust and security when designing Web services applications and services. Offering this code as open source is intended to accelerate widespread adoption of Web services by making them even easier to secure.

In addition, VeriSign announced that it has made available a version of its VeriSign Trust Service Integration Kit (TSIK) with security features for Web services, such as XML Signature, XML Encryption and XML Key Management Services (XKMS). VeriSign TSIK is a Java-based developer toolkit for integrating security capabilities into Web services.

"Companies simply will not implement Web services until the industry adequately addresses the issues of trust and security," said Dr. Phillip Hallam-Baker, VeriSign's Principal Scientist and Web Services Security Architect. "We are helping to address those critical issues by taking a leadership role in providing customers and developers with some extremely useful code that they can implement in their Web services applications today to alleviate those concerns."

"Web services simply provide too many benefits for companies to ignore. Organizations can save tangible money on integration just through the 're-use' capabilities of Web services," said Shawn Willett, principal analyst, Current Analysis. "Trouble is, many are still waiting for Web services to be secured easily and reliably. By providing the WS-Security (draft) compliant code as open source, VeriSign will help boost broad adoption of Web services among an audience that clearly needs them."

VeriSign will provide an open source implementation of WS-Security through its open source libraries, providing resources for building interoperable, trusted Web services using the proposed WS-Security standard. The VeriSign libraries can be deployed to provide protocol support for both client and server applications. In a typical situation, a Web service will rely on these libraries to add secure messaging to whatever business logic the Web service supports.

The Trust Service Integration Kit includes three basic components: the messaging framework, the trust layer and XML resources.

Messaging Framework

The messaging framework brings together various VeriSign Application Programming Interfaces (APIs) to provide a robust environment for developing secure, trusted, interoperable Web services. The Java libraries enable developers to create Java objects for sending and receiving XML messages in conjunction with a customer Web service API. The messaging framework can be used to specify signing and encryption keys for assuring authentication, data integrity and confidentiality, which can be augmented with trust assertions to add authorization capabilities for access management. This is the key layer of the API, enabling developers to transparently rely on lower-level APIs for doing complex operations quickly, simply and reliably. As a result, WS-Security (draft) compliant Web services can be developed with just a few simple calls to the API. The API also gives developers the flexibility to create highly customized mechanisms for securing Web services messaging by "going under the hood."

Trust Layer

The trust layer provides APIs for security XML messages using public key infrastructure (PKI), and includes implementations of two key specifications, W3C XML Digital Signature and XML Encryption. These implementations emphasize ease-of-use over feature coverage. The design goal is based on the assumption that simplicity helps developers avoid mistakes and, as such, increases the security of applications. The API also includes an a VeriSign-designed interfaced called the "Trust Verifier," which gives developers the flexibility to enforce trust policies for applications. The Trust Verifier provides several mechanisms, including real-time XML Key Management Specification (XKMS) lookups, for establishing whether a public key or certificate chain is trusted. Digital signatures and encryption interoperability has been tested with all major toolkits, including IBM, Microsoft, and Apache.

XML Resources

The API also includes low-level resources for directly manipulating XML, building data types, navigating through document structures, validating the format of schemas and interfacing with parsers.

Terms and Availability

The open source Java libraries will be available later this month [December 2002] on a no-warranty basis for download at www.sourceforge.net. Those downloading the libraries with the intention of implementing them as part of a product offering may be subject to licensing terms set by IBM and Microsoft.

The Trust Services Integration Kit (TSIK) will be available for download at:

http://www.xmltrustcenter.org/developer/verisign/tsik/index.htm.

About VeriSign

VeriSign, Inc. is the leading provider of digital trust services that enable everyone, everywhere to engage in commerce and communications with confidence. VeriSign's digital trust services create a trusted environment through four core offerings - Web presence services, telecommunication services, security services, and payment services - powered by a global infrastructure that manages billions of network connections and transactions a day. Additional news and information about the company is available at www.verisign.com.

Contacts

VeriSign Media Relations
Dave Berkowitz
Email: dberkowitz@verisign.com
Tel: +1 650-426-4470

VeriSign Investor Relations
Steven Gatoff
Email: sgatoff@verisign.com
Tel: +1 650-426-4560

[Source: http://www.verisign.com/corporate/news/2002/pr_20021210b.html]

Prepared by Robin Cover for The XML Cover Pages archive. See: (1) "Web Services Security Specification (WS-Security)."; (2) "XML Digital Signature (Signed XML - IETF/W3C)."; (3) "XML and Encryption."; (4) "XML Key Management Specification (XKMS)." Other references at XML Security.

SEARCH Advanced Search ABOUT Site Map CP RSS Channel Contact Us Sponsoring CP About Our Sponsors NEWS Cover Stories Articles & Papers Press Releases CORE STANDARDS XML SGML Schemas XSL/XSLT/XPath XLink XML Query CSS SVG TECHNOLOGY REPORTS XML Applications General Apps Government Apps Academic Apps EVENTS LIBRARY Introductions FAQs Bibliography Technology and Society Semantics Tech Topics Software Related Standards Historic	VeriSign Trust Service Integration Kit (TSIK) VeriSign Offers Open Source WS-Security Implementation and Integration Toolkit Helps Developers Integrate Security Into Web Services Effort Continues VeriSign's Commitment to Driving Trusted Web Services With Royalty-Free Implementation Mountain View, CA, USA. December 10, 2002. Furthering its commitment to trusted Web services, VeriSign, Inc., the leading provider of digital trust services, announced today the royalty free availability of technology that will allow companies to integrate digital signatures and encryption into Web services. Based on the recently announced WS-Security specification and Addendum, which was co-written by IBM, Microsoft, and VeriSign, this implementation provides enterprises, software developers and systems integrators with code they can use to achieve higher levels of trust and security when designing Web services applications and services. Offering this code as open source is intended to accelerate widespread adoption of Web services by making them even easier to secure. In addition, VeriSign announced that it has made available a version of its VeriSign Trust Service Integration Kit (TSIK) with security features for Web services, such as XML Signature, XML Encryption and XML Key Management Services (XKMS). VeriSign TSIK is a Java-based developer toolkit for integrating security capabilities into Web services. "Companies simply will not implement Web services until the industry adequately addresses the issues of trust and security," said Dr. Phillip Hallam-Baker, VeriSign's Principal Scientist and Web Services Security Architect. "We are helping to address those critical issues by taking a leadership role in providing customers and developers with some extremely useful code that they can implement in their Web services applications today to alleviate those concerns." "Web services simply provide too many benefits for companies to ignore. Organizations can save tangible money on integration just through the 're-use' capabilities of Web services," said Shawn Willett, principal analyst, Current Analysis. "Trouble is, many are still waiting for Web services to be secured easily and reliably. By providing the WS-Security (draft) compliant code as open source, VeriSign will help boost broad adoption of Web services among an audience that clearly needs them." VeriSign will provide an open source implementation of WS-Security through its open source libraries, providing resources for building interoperable, trusted Web services using the proposed WS-Security standard. The VeriSign libraries can be deployed to provide protocol support for both client and server applications. In a typical situation, a Web service will rely on these libraries to add secure messaging to whatever business logic the Web service supports. The Trust Service Integration Kit includes three basic components: the messaging framework, the trust layer and XML resources. Messaging Framework The messaging framework brings together various VeriSign Application Programming Interfaces (APIs) to provide a robust environment for developing secure, trusted, interoperable Web services. The Java libraries enable developers to create Java objects for sending and receiving XML messages in conjunction with a customer Web service API. The messaging framework can be used to specify signing and encryption keys for assuring authentication, data integrity and confidentiality, which can be augmented with trust assertions to add authorization capabilities for access management. This is the key layer of the API, enabling developers to transparently rely on lower-level APIs for doing complex operations quickly, simply and reliably. As a result, WS-Security (draft) compliant Web services can be developed with just a few simple calls to the API. The API also gives developers the flexibility to create highly customized mechanisms for securing Web services messaging by "going under the hood." Trust Layer The trust layer provides APIs for security XML messages using public key infrastructure (PKI), and includes implementations of two key specifications, W3C XML Digital Signature and XML Encryption. These implementations emphasize ease-of-use over feature coverage. The design goal is based on the assumption that simplicity helps developers avoid mistakes and, as such, increases the security of applications. The API also includes an a VeriSign-designed interfaced called the "Trust Verifier," which gives developers the flexibility to enforce trust policies for applications. The Trust Verifier provides several mechanisms, including real-time XML Key Management Specification (XKMS) lookups, for establishing whether a public key or certificate chain is trusted. Digital signatures and encryption interoperability has been tested with all major toolkits, including IBM, Microsoft, and Apache. XML Resources The API also includes low-level resources for directly manipulating XML, building data types, navigating through document structures, validating the format of schemas and interfacing with parsers. Terms and Availability The open source Java libraries will be available later this month [December 2002] on a no-warranty basis for download at www.sourceforge.net. Those downloading the libraries with the intention of implementing them as part of a product offering may be subject to licensing terms set by IBM and Microsoft. The Trust Services Integration Kit (TSIK) will be available for download at: http://www.xmltrustcenter.org/developer/verisign/tsik/index.htm. About VeriSign VeriSign, Inc. is the leading provider of digital trust services that enable everyone, everywhere to engage in commerce and communications with confidence. VeriSign's digital trust services create a trusted environment through four core offerings - Web presence services, telecommunication services, security services, and payment services - powered by a global infrastructure that manages billions of network connections and transactions a day. Additional news and information about the company is available at www.verisign.com. Contacts VeriSign Media Relations Dave Berkowitz Email: dberkowitz@verisign.com Tel: +1 650-426-4470 VeriSign Investor Relations Steven Gatoff Email: sgatoff@verisign.com Tel: +1 650-426-4560 [Source: http://www.verisign.com/corporate/news/2002/pr_20021210b.html] Prepared by Robin Cover for The XML Cover Pages archive. See: (1) "Web Services Security Specification (WS-Security)."; (2) "XML Digital Signature (Signed XML - IETF/W3C)."; (3) "XML and Encryption."; (4) "XML Key Management Specification (XKMS)." Other references at XML Security.