Announcements from Entrust on 2002-10-07 outline a comprehensive vision and product delivery roadmap for web services security, to be offered through the Entrust Secure Transaction Platform. "Developed using open industry standards, these services initially include: (1) the Entrust Identification Service, designed to enable validation of federated and non-federated identities across a spectrum of standards-based identification methods, including digital certificates and UserID/passwords. This capability enhances Web services application security by managing multiple identification methods; it also allows organizations to centrally specify which identities are accepted for Web services transactions; (2) The Entrust Entitlements Service, which implements the Security Assertion Markup Language (SAML) standard protocol that enables applications to validate that an identity has a right to interact with specific Web services; (3) The Entrust Verification Service, which supports accountability and integrity for more trusted transactions through centralized digital signature and time stamping capabilities, implemented using standards-compliant XML Digital Signatures." Entrust announced that it has submitted a set of related security standards proposals for Web services to OASIS. "These standards proposals specify open, XML protocols for digital signature and timestamping services operating in a Web services context."
An Entrust white paper Delivering Web Services Security: The Entrust Secure Transaction Platform "discusses how Web services will be the fundamental technology platform for business process integration and how Entrust plans to deliver a set of fundamental security capabilities for Web services based on a new security platform. The Entrust Secure Transaction Platform is a new security framework for defining how to integrate foundation security services into Web services applications. This platform will allow companies and governments to more easily integrate and deploy security services that add identification, privacy, entitlements and verification to make their Web services transactions trusted transactions... The Entrust Secure Transaction Platform will enable organizations to directly call Foundation Security Services from their Web applications, or to alternatively integrate these services into SOAP firewalls and application server plug-ins that transparently provide security to applications..."
From the Security Standards Development announcement:
Entrust, Inc., a leading global provider of Internet security solutions and services, today announced that it has submitted a set of security standards proposals for Web services to the Organization for the Advancement of Structured Information Standards (OASIS). These standards proposals specify open, XML protocols for digital signature and timestamping services operating in a Web services context. Entrust has submitted these proposals to accelerate the adoption of Web services standards, and is committed to implementing these standards as they evolve through and emerge from the OASIS standards body.
Complementing and extending Web services security standards such as WS-Security and XML Digital Signatures, these proposals will enable new capabilities necessary for binding and auditable transactions. Transactions within and between organizations will require this security to enable automated business processes that will allow organizations to realize the promise of interoperable Web services. Leading Enterprise Application Integration vendors including TIBCO and webMethods recognize the value of these capabilities and support Entrust's submission of these proposed interfaces to OASIS.
"As a company dedicated to delivering robust business integration solutions, Web services represents a critical component in our integration strategy," said Don Adams, principal security architect at TIBCO Software, Inc. "This technology delivers the interoperability necessary to meet our customers' demanding requirements. Security is a critical and necessary component to realize the promise of Web services. We applaud Entrust's leadership role in developing these new Web services security standards. TIBCO is committed to participation in this important standards effort and to the adoption of standards emerging from OASIS."
"From the beginning, webMethods' software has been based upon XML and built as a service based architecture," said Jeremy Epstein, director of product security for webMethods. "Due to our long legacy creating Web services for large global organizations, we're well-versed in the security requirements necessary to fill the gaps in the existing Web services standards. We believe Entrust's pioneering efforts in the new Web services security standards will play an important role in providing companies with the comfort level they need to promote the mass adoption of Web services."
"As a sponsor member of OASIS, we are excited about these proposals which we feel are essential to the development of Web services security," said Bill Conner, chairman, president and CEO of Entrust. "We view open, interoperable digital signature and timestamping services as critical components of our recently announced, comprehensive Entrust Secure Transaction Platform. In addition, we are bolstered by the level of support our standardization efforts have already received from important Web services partners."
"Just as it led in the early stages of standardizing public key infrastructure, Entrust is a key contributor and leader in developing the next generation of Web services security standards, and in making such services accessible to enterprise customers. Commerce between companies and supply chains require timestamping and signing services from trusted sources to support non-repudiation for high value business transactions. OASIS provides an open standards forum to continue the work begun by Entrust in this important aspect of securing Web services."
Digital signatures and timestamping provide the necessary long-term integrity and accountability for online business transactions. Through these capabilities, organizations are able to determine the parties involved in a transaction, the specific moment in time the transaction occurred, and that the transaction has not been altered since it was digitally signed -- all essential attributes of important business transactions.
Entrust's digital signature and timestamping Services represent two central capabilities of the Entrust Verification Service, which enables long-term accountability and integrity for Web services transactions. The Verification Service is part of Entrust's Secure Transaction Platform, a portfolio of products that deliver security for Web services. This new platform will support a broad range of additional standards to maximize interoperability, including XML, SOAP, SAML, and WS-Security.
From the Roadmap announcement: "The Entrust Secure Transaction Platform will provide support for leading application servers and platforms to extend interoperable security services across an enterprise's existing infrastructure. These services provide organizations with flexible options for integrating security into Web services environments... Entrust is committed to Web services and the industry standardization efforts that will drive adoption... customers and partners today implement the Entrust Authority Security Toolkit for Java to add security to Web services transactions using the 'XML-Signature Syntax and Processing' (XML Digital Signature), a W3C recommendation and IETF draft standard that Entrust helped initiate and co-author in 1999. The Secure Transaction Platform also provides support for major Web services and Internet security standards, including SAML, XML Digital Signatures, WS-Security, X.509v3 digital certificates, Secure Sockets Layer (SSL), and many others..."
- Update: Entrust Contributes Digital Signature Protocol Specifications to OASIS DSS TC.
- Announcement 2002-10-07: "Entrust Leads Security Standards Development for Web Services. Leading EAI Vendors, including webMethods and TIBCO, Support Security Standards to Accelerate Web Services Deployment."
- Announcement 2002-10-07: "Entrust Unveils Comprehensive Vision And Product Delivery Roadmap For Web Services Security. Entrust Secure Transaction Platform Provides Open, Interoperable, and Flexible Security Solutions for Web Services Applications -- BEA, IBM Support"
- Entrust Secure Transaction Platform
- Entrust Secure Transaction Platform - Frequently Asked Questions
- Delivering Web Services Security: The Entrust Secure Transaction Platform. Entrust White Paper. 12 pages. See the company list of white papers.
- Entrust Standards Compliance and Participation in Standards Bodies
- Entrust, Inc. website
- See: "Security Assertion Markup Language (SAML)"
- See: "XML Digital Signature (Signed XML - IETF/W3C)"