The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards
Last modified: February 12, 2001
AuthXML Standard for Web Security

[December 04, 2000] "AuthXML is a specification for authentication and authorization information in XML. AuthXML is a transport-independent XML definition that allows security authorities in separate organizations to communicate about authentication, authorization, user profiles and authenticated user sessions in an open way. The expanded use of secured networked applications, within enterprises and between them, has led to increased complexity for users and administrators. Users are often required to make multiple logons to different applications in different security domains. Some solutions for reducing the security complexity for users have been proposed and implemented. Generally they are monolithic, requiring a single, authoritative user database which all other databases and applications must obey. Some solutions use a distributed model, with trust between domains, but these are usually proprietary or ad hoc. The purpose of the AuthXML standard is to provide an open framework for resource realms, such as applications and Web sites, to trust security domains. It requires two key technologies to ensure secure, open implementations: (1) XML, the Extensible Markup Language, an open standard for language definitions. The wide usage of XML and variety of XML processors allows for a variety of implementations of the AuthXML standard. (2) Digital Signatures (XML Signature), a standard for securely verifying the origins of messages. The XML Signature specification allows for XML documents to be signed in a standard way, with a variety of different digital signature algorithms. Digital signatures can be used for validation of messages and for non-repudiation. AuthXML is a flexible framework, requiring a minimum of functionality from implementations to meet the standard, while allowing maximum extensibility."

[November 16, 2000] Securant Technologies has "announced the formation of an open industry working group to facilitate the creation of the first XML-based standard for Web security, called AuthXML. This standard will leverage XML, which is platform and programming language independent, to enable authentication and authorization functions to be performed across and interoperate with multi-vendor Web security systems, packaged and custom Web applications, and network level security systems. AuthXML will allow integrated Web commerce and a transparent user experience by providing a standardized approach for presenting and keeping track of security details as a transaction or session traverses linked Web sites based on disparate technologies, applications and platforms. Securant has been working with its key customers and partners for several months to develop a framework for the AuthXML specification, and is now opening up its research and design efforts to help foster and accelerate the adoption of a universal standard. AuthXML is a vendor-neutral standard that enables integration of Web security, network security, B2B infrastructures and applications. AuthXML is named as such because it comprises 2 primary components: Authentication and Authorization and is designed to ease integration of transactions between trading partner sites that may be using different security systems and within a given site that may be deploying multiple applications that need integrated security. AuthXML will enable: (1) Faster deployment for customers through standards based integration, (2) Interoperability between Web security vendors allowing for secure and simplified integrated commerce, (3) Simplified user experience through reduced sign-ons across Web networks, (4) More tightly integrated Web sites and applications based on non-proprietary integration. AuthXML is intended to be a completely open standard for Web-based application security and inter-application integration. The standard defines a set of XML message formats, XML schemas and interaction models that web sites can use in order to provide seamless user experience and business transactions that span multiple parties and security domains across the Internet. AuthXML is not owned by any one vendor. Instead, the standards proposal will be submitted to an appropriate open standards body to ensure that it remains an open industry standard in which any interested companies and organizations can participate. The AuthXML 1.0 Specification is currently [2000-11-16] under development by Securant Technologies and some of its key partners and customers."


  • AuthXML Web site

  • AuthXML Working Group Web site

  • Announcement: Securant Technologies Announces Formation of AuthXML Working Group to Create Industry Standard for Web Security." Also in PDF format. [cache]

  • AuthXML Description

  • FAQ document

  • AuthXML News

  • AuthXML Charter Members

  • AuthXML Specifications

  • Contact:

  • Securant Technologies

  • See also: "Security Services Markup Language (S2ML)."

  • [February 12, 2001]   AuthXML Working Group Submits AuthXML Web Security Specification to OASIS.    The AuthXML Working Group has announced the submission of its AuthXML specification to the OASIS XML Security Services Technical Committee. In January, Netegrity, Inc. and a small group of vendors also submitted its Security Services Markup Language draft specification to the OASIS TC. AuthXML is a vendor-neutral specification that enables the integration of proprietary Web security, network security, B2B infrastructures and applications with individual Internet-based user sessions and transactions; the AuthXML Working Group is comprised of over 45 active contributors. [Full context]

  • [January 17, 2001] "OASIS Unites Efforts to Develop XML Security Services Standard." - "Organizations supporting divergent security standards united in an effort to develop a common XML specification through the OASIS Security Services Technical Committee. OASIS, the global XML interoperability consortium, hosted the first meeting of its new technical committee, which will define an XML framework for exchanging authentication and authorization information. Initially formed within OASIS to complete the S2ML security standard, the new committee agreed to accept submissions of other relevant technologies, including AuthXML. 'Our goal is to work together to advance a common security standard,' said Eve Maler of Sun Microsystems, chair of the OASIS Security Services Technical Committee. 'Everyone agrees that consensus is critical. Through its open technical process, OASIS provides the safe environment necessary for real collaboration.' 'The result of our work at OASIS will be a single security services standard that will be widely accepted in the industry,' predicted Marc Chanliau of Netegrity. 'We brought S2ML to OASIS with that objective in mind, and we're confident that the technical committee has the critical mass to achieve our goal.' 'Supporters of AuthXML welcome the opportunity to work within OASIS for the good of true interoperability and the XML community at large,' commented Eric Olden of Securant Technologies. 'By channeling the momentum of AuthXML into the committee, we look forward to advancing the development of a common, unified standard.' The OASIS Security Services Technical Committee includes representatives from Baltimore Technologies, Cisco, Commerce One, DataChannel, Entegrity, Entrust, Hewlett-Packard, IBM, Jamcracker, Netegrity, Oblix, OpenNetwork, Securant, SilverStream, Sun Microsytems, Tivoli, Verisign, Vordel and WebMethods. Membership is expected to increase in the coming months. 'Interest in advancing this work is extremely high,' said Karl Best, director of technical operations for OASIS. He added that record numbers of companies and individuals have joined the Consortium specifically to participate in developing a common security standard. The technical committee plans to publish draft specifications by June 2001 and to submit a formal specification to the OASIS membership by September 2001. Norbert Mikula of DataChannel, member of the OASIS Board of Directors and chair of its technical advisory committee, characterized the development schedule as, 'very aggressive.' He advised, 'Any organization affected by the issue of security should get involved now." See also "Security Services Markup Language (S2ML)."

  • [January 04, 2001] "Consortium Aims To Unite XML Security Standards. OASIS Group Plans to combine specifications from two rival vendors." By George V. Hulme. In Information Week Issue 818 (January 01, 2000), page 24. "A meeting set for next week could be a major step toward developing a single XML security standard that would give companies greater security authentication and authorization options when sharing data among customers, partners, and vendors. OASIS, a standards and interoperability consortium that's trying to blend two competing XML security standards into one, will host the meeting. The rival XML security specifications are backed by two security vendors: Securant Technologies Inc., which has AuthXML, and Netegrity Inc., with S2ML. Most analysts say the similarities between the proposed standards outweigh any differences. 'Until now, this has been a Securant vs. Netegrity issue. Now it looks like we have the cooperation of both sides,' says Pete Lindstrom, senior analyst, security strategies, at the Hurwitz Group. 'Hopefully, they'll both work within OASIS to develop something useful.' To make that happen, OASIS formed the Security Technical Committee, which will meet January 9, 2001. 'These companies are in a very competitive posture, and we help to neutralize that,' says Oasis executive director Laura Walker. 'Both are receptive to working together on this.' Participating vendors include Baltimore Technologies, Entegrity Solutions, Entrust Technologies, Hewlett-Packard, iPlanet, Netegrity, Oblix, OpenNetwork Technologies, Securant Technologies, Tivoli Systems, and TransIndigo. Even if OASIS is successful, however, analysts say it may be a year before products based on the stan-dard are available."

  • [December 22, 2000] "Competing initiatives to vie for security standard." By Jeffrey Burt. In eWEEK (December 21, 2000). "The push to develop an XML-based standard for moving security information across disparate online trading systems is moving under the umbrella of the standards body OASIS. The Organization for the Advancement of Structured Information Standards earlier this month set up a technical committee to create a single standard for security information -- including authentication, authorization and user profiles. The first meeting of the group will be on Jan. 9. Included in the technical committee are backers of two competing programs announced in November whose aim is to develop a standard based on XML (Extensible Markup Language). Netegrity Inc., of Waltham, Mass., is heading a drive to make its Security Services Markup Language, or S2ML, the defacto standard in the security information field. Company officials said this week that more than 200 companies have put their support behind the initiative. San Francisco-based Securant Technologies Inc. is pushing its AuthXML program, which has the support of more than 70 companies, some of whom also were involved in the S2ML program. Both initiatives were announced within days of each other. Netegrity officials said they and their partners approached OASIS about creating a technical committee, which was unveiled December 6. Netegrity officials hope to have another meeting in February and a final specification developed by the middle of 2001. The committee initially will use the S2ML initiative as the basis for its work. Securant officials already have issued a third version of the AuthXML specification and will bring that to the technical committee..."

  • [December 04, 2000] "Leading Security Vendors, Service Providers, and Enterprises Cooperate on Standard for Secure Web Transactions. AuthXML Working Group Unveils List of 45 Charter Members. Prepares Specification for Submission to Standards Body." - "The AuthXML Working Group today announced that 45 organizations representing the vendor, service provider, and enterprise communities have joined the open and vendor neutral initiative to help create a standard way to secure Internet-based electronic transactions. The Working Group is finalizing preparations on the AuthXML specification for submission to the World Wide Web Consortium (W3C) and OASIS. Charter members include Access360, Arcot Systems, Argus Systems Group, Authentify, Authentor, BioNetrix, Bowstreet, Brown University, Calendra, Cap Gemini Ernst & Young, CertCo, Check Point Software Technologies, Citrix, Datek Online, Deloitte & Touche LLP, eBenX, Employease, Entact Information Security, Entrust Technologies, Epicentric, Equifax, Internet 2 Project, Keyware Technologies, Mackenzie Financial, McKesson, Novell, Oblix, Outlook Technologies, PricewaterhouseCoopers, ProofSpace, Royal Bank of Scotland, SAIC, Sandhill Systems, Secretariat du Conseil du Tresor, Securant Technologies, Secure Computing, Silverstream, SiteLite, SVi Retail, Thomson Financial, Transport Logistic Centre, University of Western Ontario, Urmet, Valicert, and Wave Systems Corp. The ability of the Internet to support secure electronic transactions that span multiple Web sites and organizations is limited by the fact that each organization has deployed its own separate security systems for performing user authentication and authorization. In order for the Internet to enable seamless yet secure transactions between trading partners, affiliated organizations, and between businesses and consumers, a standard method is required for presenting and maintaining security details as a user or session traverses linked Web sites that are based on disparate technologies, applications and platforms. AuthXML is a vendor-neutral specification that enables the integration of proprietary Web security, network security, B2B infrastructures and applications with individual Internet-based user sessions and transactions. The specification derives its name from the fact that it uses XML and links the two primary components of Web transaction security: Authentication and Authorization. AuthXML is designed to enable the seamless flow of Web-based transactions between trading partner sites that may be using different security systems, and within a given site that may be deploying multiple applications that require integrated security. The goal of the AuthXML Working Group is to achieve a universally accepted standard that enables authentication and authorization functions to be performed across and interoperate with multi-vendor Web security systems, packaged and custom Web applications, and network level security systems - using XML technology."

  • [August 07, 2000] "Directories Learn Sharing Is Good." By Rutrell Yasin. In InternetWeek (August 04, 2000). "As e-businesses use directory technology to give parners access to its systems, authorization -- the assigning of user privileges and rights -- becomes vital. Authorization is impossible without sharing of entitlement information. The problem is simple: There is no standard approach for partners' access management systems to do such sharing. That could change. Netegrity and Securant plan to submit separate specifications based on the Extensible Markup Language (XML) to standards bodies such as the World Wide Web Consortium (W3) and the Internet Engineering Task Force (IETF). Netegrity will be promoting XML-based middleware software for user authorization while Securant will push its AuthXML specification. 'A set of rules and methods -- or schema -- based on XML would enable an online stock trading firm, for example, to seamlessly share user privilege information with a partnering financial services firm that offers 401K investments, even if the companies use different server and access control systems,' said Eric Olden, Securant's chief technology officer. But not all vendors are endorsing XML as a common platform to maintain consistent security policies across different access management systems, however, and some of the naysayers are big names. Hewlett-Packard is looking to support both XML and Java. Tivoli, an IBM company, is supporting the Open Group's AznAPI authorization API. . . Tivoli also will support XML where it is practical for customers, said Bob Kalka, a product line manager for the Tivoli SecureWay unit. Kalka said that AznAPI supports both Web and legacy systems while products from Netegrity and Securant are Web-only solutions. AznAPI can plug into the SecureWay Policy Director to determine authorization rights for a messaging application such as IBM's MQSeries, without requiring code rewrites, he noted. While vendor-specific deployment of XML-based systems will give users some added value, user would prefer suppliers to work together on a standard." See also "Users Seek Unified Directory Answers," InternetWeek July 31, 2000, page 13. Cf. "DIF Directory Interoperability Proposal."

  • [December 13, 2000] "Industry Must Embrace Combination of Open Web Access Standards for True Interoperability. No Single Standard Can Do It All." By Nand Mulchandani. December, 2000. Oblix position paper. "The document 'Industry Must Embrace Combination of Open Web Access Standards for True Interoperability' explores the various standards currently available, as well as those in various stages of ratification. On behalf of Oblix, Nand Mulchandani is a member of the proposal committees for S2ML (Security Services Markup Language) and AuthXML (authentication and authorization). Both proposed XML standards have been recently submitted to the Organization for the Advancement of Structured Information Standards (OASIS), an international consortium that advances electronic business by promoting open, collaborative development of interoperability specifications.... Adapting one universally accepted open standard has been offered up as the panacea for Internet interoperability issues. While the idea is appealing, it is not realistic. no single standard will solve all interoperability issues. Instead, a combination of different standards is required to produce true interoperability. For instance, two companies may agree on implementing the same XML data exchange format but will still not be able to interoperate if their XML Remote Procedure Call (RPC) mechanisms do not match. By defining such standards, enterprises are able to deploy infrastructure solutions that seamlessly span multiple companies without requiring each individual company to run proprietary, vendor-specific software. Oblix envisions open standards that will encompass identity, authentication, authorization, sessions, and transactions in a combination of XML and other evolving industry standards."

Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation


XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Globe Image

Document URI:  —  Legal stuff
Robin Cover, Editor: