VeriSign Trust Service Integration Kit (TSIK)
VeriSign Offers Open Source WS-Security Implementation and Integration Toolkit
Helps Developers Integrate Security Into Web Services
Effort Continues VeriSign's Commitment to Driving Trusted Web Services With Royalty-Free Implementation
Mountain View, CA, USA. December 10, 2002.
Furthering its commitment to trusted Web services, VeriSign, Inc., the leading provider of digital trust services, announced today the royalty free availability of technology that will allow companies to integrate digital signatures and encryption into Web services.
Based on the recently announced WS-Security specification and Addendum, which was co-written by IBM, Microsoft, and VeriSign, this implementation provides enterprises, software developers and systems integrators with code they can use to achieve higher levels of trust and security when designing Web services applications and services. Offering this code as open source is intended to accelerate widespread adoption of Web services by making them even easier to secure.
In addition, VeriSign announced that it has made available a version of its VeriSign Trust Service Integration Kit (TSIK) with security features for Web services, such as XML Signature, XML Encryption and XML Key Management Services (XKMS). VeriSign TSIK is a Java-based developer toolkit for integrating security capabilities into Web services.
"Companies simply will not implement Web services until the industry adequately addresses the issues of trust and security," said Dr. Phillip Hallam-Baker, VeriSign's Principal Scientist and Web Services Security Architect. "We are helping to address those critical issues by taking a leadership role in providing customers and developers with some extremely useful code that they can implement in their Web services applications today to alleviate those concerns."
"Web services simply provide too many benefits for companies to ignore. Organizations can save tangible money on integration just through the 're-use' capabilities of Web services," said Shawn Willett, principal analyst, Current Analysis. "Trouble is, many are still waiting for Web services to be secured easily and reliably. By providing the WS-Security (draft) compliant code as open source, VeriSign will help boost broad adoption of Web services among an audience that clearly needs them."
VeriSign will provide an open source implementation of WS-Security through its open source libraries, providing resources for building interoperable, trusted Web services using the proposed WS-Security standard. The VeriSign libraries can be deployed to provide protocol support for both client and server applications. In a typical situation, a Web service will rely on these libraries to add secure messaging to whatever business logic the Web service supports.
The Trust Service Integration Kit includes three basic components: the messaging framework, the trust layer and XML resources.
The messaging framework brings together various VeriSign Application Programming Interfaces (APIs) to provide a robust environment for developing secure, trusted, interoperable Web services. The Java libraries enable developers to create Java objects for sending and receiving XML messages in conjunction with a customer Web service API. The messaging framework can be used to specify signing and encryption keys for assuring authentication, data integrity and confidentiality, which can be augmented with trust assertions to add authorization capabilities for access management. This is the key layer of the API, enabling developers to transparently rely on lower-level APIs for doing complex operations quickly, simply and reliably. As a result, WS-Security (draft) compliant Web services can be developed with just a few simple calls to the API. The API also gives developers the flexibility to create highly customized mechanisms for securing Web services messaging by "going under the hood."
The trust layer provides APIs for security XML messages using public key infrastructure (PKI), and includes implementations of two key specifications, W3C XML Digital Signature and XML Encryption. These implementations emphasize ease-of-use over feature coverage. The design goal is based on the assumption that simplicity helps developers avoid mistakes and, as such, increases the security of applications. The API also includes an a VeriSign-designed interfaced called the "Trust Verifier," which gives developers the flexibility to enforce trust policies for applications. The Trust Verifier provides several mechanisms, including real-time XML Key Management Specification (XKMS) lookups, for establishing whether a public key or certificate chain is trusted. Digital signatures and encryption interoperability has been tested with all major toolkits, including IBM, Microsoft, and Apache.
The API also includes low-level resources for directly manipulating XML, building data types, navigating through document structures, validating the format of schemas and interfacing with parsers.
Terms and Availability
The open source Java libraries will be available later this month [December 2002] on a no-warranty basis for download at www.sourceforge.net. Those downloading the libraries with the intention of implementing them as part of a product offering may be subject to licensing terms set by IBM and Microsoft.
The Trust Services Integration Kit (TSIK) will be available for download at:
VeriSign, Inc. is the leading provider of digital trust services that enable everyone, everywhere to engage in commerce and communications with confidence. VeriSign's digital trust services create a trusted environment through four core offerings - Web presence services, telecommunication services, security services, and payment services - powered by a global infrastructure that manages billions of network connections and transactions a day. Additional news and information about the company is available at www.verisign.com.
VeriSign Media Relations
Tel: +1 650-426-4470
VeriSign Investor Relations
Tel: +1 650-426-4560
Prepared by Robin Cover for The XML Cover Pages archive. See: (1) "Web Services Security Specification (WS-Security)."; (2) "XML Digital Signature (Signed XML - IETF/W3C)."; (3) "XML and Encryption."; (4) "XML Key Management Specification (XKMS)." Other references at XML Security.