The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
SEARCH | ABOUT | INDEX | NEWS | CORE STANDARDS | TECHNOLOGY REPORTS | EVENTS | LIBRARY
SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

NEWS
Cover Stories
Articles & Papers
Press Releases

CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG

TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps

EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
Last modified: February 21, 2001
Security Services Markup Language (S2ML)

[November 16, 2000] Netegrity, Inc. has "announced that it is working with a group of industry leading companies to define the first standard for enabling secure e-commerce transactions using XML. The industry's first major collaboration, called Security Services Markup Language (S2ML), will create a common language for sharing security information about transactions and end users between companies engaged in online B2B and B2B2C transactions. Authors of the S2ML specification are Bowstreet, Commerce One, Jamcracker, Netegrity, Sun Microsystems, VeriSign, and webMethods. Reviewers of the specification include Art Technology Group, Oracle, PricewaterhouseCoopers, and TIBCO. S2ML is intended to solve [security] problems by helping to unify access control methods through an open, standards-based framework for the next generation of secure e-commerce transactions. The S2ML specification addresses three main areas of security services: authentication, authorization, and entitlement/privilege. S2ML defines standard XML schemas, as well as an XML request/response protocol, for describing authentication and authorization services through XML documents. S2ML also will provide specific bindings for various protocols such as HTTP and SOAP and B2B messaging frameworks such as ebXML. S2ML will deliver the following benefits: (1) Interoperability: With S2ML e-marketplaces, service providers, and end user companies of all sizes will be able to securely exchange information about authenticated users, Web services, and authorization information without requiring partners to change their current security solutions. S2ML will become the common language for different infrastructures to communicate security data. (2) Open Solution: S2ML is designed to work with multiple XML document exchange protocols and frameworks such as SOAP, OAG, MIME, Biztalk, and ebXML. (3) Single Sign-On Across Partner Sites: S2ML will enable users to travel across sites with their credentials and entitlements so that companies and partners in a trusted relationship can deliver single sign-on across sites, regardless of the security infrastructures in place. The S2ML effort is an open industry initiative in which any organization can participate and implement the specifications. The vendors behind the S2ML initiative plan to submit the S2ML 0.8 specification to the World Wide Web Consortium (W3C) and OASIS for consideration within the next 30 days."

References:

  • S2ML web site

  • S2ML description

  • Founding members

  • FAQ document

  • Contact: info@s2ml.org

  • S2ML in the news

  • [January 09, 2000] Security Services Markup Language. S2ML Draft Specification '0.8a', 2001-01-08. 43 pages. Posted by Marc Chanliau (Netegrity) to 'security-services@lists.oasis-open.org' list, 2001-01-08. See also the separate XSD file (from Appendix B of the specification). "This specification defines Security Services Markup Language (S2ML), a protocol for two security services: authentication and authorization. The protocol consists of request and response pairs of XML documents for each service. This specification provides a schema that governs these XML documents, as well as bindings to several message and transport protocols with which S2ML might be used. S2ML recognizes that there are a wide range of authentication technologies in use, such as login-password, SSL, Digital Signing, Kerberos, and Smart Cards. There are also many frameworks for authorization, including ACLs, Capabilities, and the Java Authorization Model. A major design goal for S2ML is to provide a single syntax within which a broad class of authentication and authorization techniques can be expressed, and, which can convey the results established by a wide variety of existing security mechanisms S2ML defines two key XML elements -- Name Assertions and Entitlements -- that provide a foundation for sharing security artifacts on the Internet. Traditionally, security has been viewed in the context of a transaction that is entirely contained within a single enterprise. Increasingly, transactions, whether driven by users or by document flow, may involve cooperating but distinct enterprises. Transactions may originate at a workstation, and with the help of a portal or marketplace site, pass through a series of staged interactions with other sites. For example, one site may authenticate a name-to-credential binding while another site provides additional assessment of the named user's capabilities to perform a transaction. Authentication, authorization, and entitlement information required to complete or enable a transaction may originate from many sites and be interpreted at other sites."

  • [January 17, 2001] "OASIS Unites Efforts to Develop XML Security Services Standard." - "Organizations supporting divergent security standards united in an effort to develop a common XML specification through the OASIS Security Services Technical Committee. OASIS, the global XML interoperability consortium, hosted the first meeting of its new technical committee, which will define an XML framework for exchanging authentication and authorization information. Initially formed within OASIS to complete the S2ML security standard, the new committee agreed to accept submissions of other relevant technologies, including AuthXML. 'Our goal is to work together to advance a common security standard,' said Eve Maler of Sun Microsystems, chair of the OASIS Security Services Technical Committee. 'Everyone agrees that consensus is critical. Through its open technical process, OASIS provides the safe environment necessary for real collaboration.' 'The result of our work at OASIS will be a single security services standard that will be widely accepted in the industry,' predicted Marc Chanliau of Netegrity. 'We brought S2ML to OASIS with that objective in mind, and we're confident that the technical committee has the critical mass to achieve our goal.' 'Supporters of AuthXML welcome the opportunity to work within OASIS for the good of true interoperability and the XML community at large,' commented Eric Olden of Securant Technologies. 'By channeling the momentum of AuthXML into the committee, we look forward to advancing the development of a common, unified standard.' The OASIS Security Services Technical Committee includes representatives from Baltimore Technologies, Cisco, Commerce One, DataChannel, Entegrity, Entrust, Hewlett-Packard, IBM, Jamcracker, Netegrity, Oblix, OpenNetwork, Securant, SilverStream, Sun Microsytems, Tivoli, Verisign, Vordel and WebMethods. Membership is expected to increase in the coming months. 'Interest in advancing this work is extremely high,' said Karl Best, director of technical operations for OASIS. He added that record numbers of companies and individuals have joined the Consortium specifically to participate in developing a common security standard. The technical committee plans to publish draft specifications by June 2001 and to submit a formal specification to the OASIS membership by September 2001. Norbert Mikula of DataChannel, member of the OASIS Board of Directors and chair of its technical advisory committee, characterized the development schedule as, 'very aggressive.' He advised, 'Any organization affected by the issue of security should get involved now." See also "AuthXML Standard for Web Security."

  • [February 20, 2001]   OASIS Technical Committee for Extensible Access Control Markup Language (XACML).    An OASIS technical committee has been proposed for the development of standards governing access control policies. The proposed scope of discussion "is Extensible Access Control Markup Language ('XACML', an intermin moniker), which addresses security related specifications orthogonal to the efforts of the existing Security Services OASIS TC. Whereas the Security Services TC exists to define an XML framework for exchanging authentication and authorization information, XACML is to be concerned with the representation of access control policies as XML and the application of these policies to XML documents." The current discussion leader is Ernesto Damiani. [Full context]

  • [February 12, 2001]   AuthXML Working Group Submits AuthXML Web Security Specification to OASIS.    The AuthXML Working Group has announced the submission of its AuthXML specification to the OASIS XML Security Services Technical Committee. In January, Netegrity, Inc. and a small group of vendors also submitted its Security Services Markup Language draft specification to the OASIS TC. AuthXML is a vendor-neutral specification that enables the integration of proprietary Web security, network security, B2B infrastructures and applications with individual Internet-based user sessions and transactions; the AuthXML Working Group is comprised of over 45 active contributors. [Full context]

  • [February 10, 2001] Pending standards work: Note in this connection that discussion has been held on the OASIS Security list about a possible technical committee "focused on security related specifications orthogonal to the efforts of the XML-Based Security Services TC. Whereas XML-Based Security Services exists to define an XML framework for exchanging authentication and authorization information, XACML [Extensible Access Control Markup Language] is concerned with the representation of access control policies as XML and the application of these policies to XML documents..." Provisional participants: Ernesto Damiani [Discussion Leader], Pierangela Samarati, Simon Y. Blackwell, and Frank Chum.

  • [November 16, 2000] "Netegrity And Industry Leaders To Define First XML Standard For Secure E-Commerce. Art Technology Group, Bowstreet, Commerce One, Jamcracker, Oracle, PricewaterhouseCoopers, Sun Microsystems, TIBCO Software Inc., VeriSign, and webMethods join Netegrity to Develop Security Services Markup Language (S2ML)."

  • [January 04, 2001] "Consortium Aims To Unite XML Security Standards. OASIS Group Plans to combine specifications from two rival vendors." By George V. Hulme. In Information Week Issue 818 (January 01, 2000), page 24. "A meeting set for next week could be a major step toward developing a single XML security standard that would give companies greater security authentication and authorization options when sharing data among customers, partners, and vendors. OASIS, a standards and interoperability consortium that's trying to blend two competing XML security standards into one, will host the meeting. The rival XML security specifications are backed by two security vendors: Securant Technologies Inc., which has AuthXML, and Netegrity Inc., with S2ML. Most analysts say the similarities between the proposed standards outweigh any differences. 'Until now, this has been a Securant vs. Netegrity issue. Now it looks like we have the cooperation of both sides,' says Pete Lindstrom, senior analyst, security strategies, at the Hurwitz Group. 'Hopefully, they'll both work within OASIS to develop something useful.' To make that happen, OASIS formed the Security Technical Committee, which will meet January 9, 2001. 'These companies are in a very competitive posture, and we help to neutralize that,' says Oasis executive director Laura Walker. 'Both are receptive to working together on this.' Participating vendors include Baltimore Technologies, Entegrity Solutions, Entrust Technologies, Hewlett-Packard, iPlanet, Netegrity, Oblix, OpenNetwork Technologies, Securant Technologies, Tivoli Systems, and TransIndigo. Even if OASIS is successful, however, analysts say it may be a year before products based on the stan-dard are available."

  • [December 06, 2000] Security Services Markup Language. [S2ML Specification V.0.7a] Draft Version 0.7a. November 16, 2000. 41 pages. By Prateek Mishra (Netegrity), Phillip Hallam-Baker (VeriSign), Zahid Ahmed (CommerceOne), Alex Ceponkus (BowStreet), Marc Chanliau (Netegrity), Jeremy Epstein (webMethods), David Jablon (Netegrity), Eve Maler (Sun Microsystems), David Orchard (Jamcracker). Summary: "Security Services Markup Language (S2ML) is a set of XML schemas and interfaces for security services. S2ML provides a standard description of authentication and authorization as XML request and response pairs. There are a wide range of authentication technologies in use, such as, login-password, SSL, Digital Signing, Kerberos, Smart Cards etc. There are also many frameworks for authorization including ACLs, Capabilities, Java Authorization Model etc. A major design goal for S2ML is to provide a single syntax within which a broad class of authentication and authorization techniques can be expressed and used. S2ML identifies two key schemas -- Name Assertions and Entitlements -- that provide a foundation for sharing security artifacts on the internet. Traditionally, security has been viewed in the context of a transaction that is entirely contained within a single enterprise. Increasingly, transactions, whether driven by users or document flow, may authenticate at a portal or marketplace and complete through interactions at other sites. Authentication, authorization and entitlement information required to complete or enable a transaction may originate from many sites and be interpreted at other sites. The following XML schemas and security interfaces are described in this document: (1) NameAssertion: the result of successful authentication is a digitally signed XML assertion describing the authentication type, user and authenticator. (2) Entitlement: is a digitally signed XML assertion consisting of a ``portable'' package of authorization data created by an issuing authority concerning an authenticated subject. (3) Authentication: An AuthRequest document contains credentials; the result of authentication is an AuthResponse document containing a NameAssertion and may also include Entitlements. (4) Authorization: An AzRequest document contains an NameAssertion, zero or more Entitlements and an authorization Question; the AzResponse document contains an Answer and may also include Entitlements... Audit, based on logging and analysis of security-related data, is a key requirement in security systems. S2ML supports audit by including information in schemas, which may be used to establish sequencing relationships between requests, responses, name assertions and entitlements over long time periods." [From Marc Chanliau]

  • [November 27, 2000] OASIS XML-Based Security Services Technical Committee to Define Security Framework. An OASIS Technical Committee for 'XML-Based Security Services' is being formed with the goal of defining a "framework for sharing security information and security services on the Internet through XML documents." The initial members are from Sun Microsystems, JamCracker, and Netegrity. Projected deliverables include "a set of XML Schemas and an XML-based request/response protocol for authentication and authorization services. A draft of the Committee Specification (Version 0.8) will be based on the Security Services Markup Language (S2ML) co-authored by Netegrity, Inc. and its partners. The Committee Specification Version 0.8 will be ready by December 15, 2000. The final Committee Specification (Version 1.0) is scheduled for the second quarter 2001. The XML-Based Security Services TC intends to submit the Committee Specification as an OASIS standard after sufficient implementation experience has been gathered..." Subscription to the associated OASIS mailing list is open to OASIS affiliates: send subscribe as the body of an email message to security-services-request@lists.oasis-open.org. The discussion list is publicly archived. For additional description and references, see (1) "Security Services Markup Language (S2ML)" and (2) the text of the announcement.

  • [December 06, 2000] "OASIS to Define XML Standard for Secure Electronic Business. Consortium Forms XML-Based Security Services Technical Committee." - "OASIS, the interoperability consortium, today announced that it has begun development of XML standards for security information and services on the Internet. The newly formed OASIS XML-Based Security Services Technical Committee (TC) will define a common language for sharing security information about transactions and end users between companies engaged in online B2B and B2B2C commerce. "Currently, it is difficult to ensure the absolute security of Internet transactions across companies. Businesses need a universal method to assure only users with proper authorization access and execute transactions," explained Karl Best, director of technical operations at OASIS. "OASIS has taken on this development effort to produce a standard, open framework that will enable secure interoperability across company boundaries and heterogeneous platforms." Christian Byrnes, vice president of security strategy at META Group, said, 'Almost all e-commerce involves multiple business partners at some level. The lack of security standards has resulted in difficult, complex, and insecure implementations. A successful standard for integrating security across business partners will make e-commerce faster and less expensive to deploy and more secure at the same time.' The OASIS XML-Based Security Services TC initially plans to base its work on the Security Services Markup Language (S2ML), a joint development effort of Art Technology Group, Bowstreet, Commerce One, Jamcracker, Netegrity, Oracle, PricewaterhouseCoopers, Sun Microsystems, VeriSign, TIBCO and webMethods..." See also (1) the TC's publicly archived mailing list, and (2) the the earlier announcement.

  • [November 16, 2000] "Netegrity Signs Up Key Partners For XML-Based Security Standard. Sun, CommerceOne, VeriSign Among Vendors Supporting S2ML." By Elizabeth Montalbano. In Computer Reseller News (November 15, 2000). "Several notable companies have signed on to help a vendor of Web site management software develop a standard way to authenticate and authorize users in B2B scenarios using XML. Netegrity, along with Sun, CommerceOne, Bowstreet.com, VeriSign, WebMethods and others, has developed a specification for S2ML, a standard way to define user authentication, authorization, entitlement and profile information in XML documents. This allows B2B exchange users to port from site to site without multiple sign-ons. Vendors reviewing the S2ML spec include Art Technology Group, PricewaterhouseCoopers and Tibco. The companies held a news conference here Wednesday to discuss the specification, which they expect to submit to both the World Wide Web Consortium (W3C) and OASIS standards bodies within 30 days. Bill Bartow, vice president of marketing at Netegrity, based here, says S2ML enables companies that have different infrastructures and are using one exchange to tell each other in a standard way that a user is authorized to conduct transactions on another site without the need for complex infrastructure... S2ML will also define how to express that users have certain entitlements--for example, if they are a 'gold card member' or have a certain amount of money to spend on a site, Bartow says. Vendors working on S2ML have designed the technology to be cross-platform and to work with any flavor of XML, Bartow says. Netegrity is not the only company working on using XML to solve the problem of user authentication between sites in B2B. Security vendor Securant Technologies is working on a similar standard, called authXML, says John Pescatore, research director for Internet security at Gartner Group. Last week, Securant announced a working group to further the development of authXML, a product of work that began in May 2000, says Britta Glade, director of marketing at the San Francisco-based vendor. Pescatore says the work Securant is doing is just as valid as the S2ML spec, but the strength of Netegrity's announcements is in its partners."

  • [December 22, 2000] "Competing initiatives to vie for security standard." By Jeffrey Burt. In eWEEK (December 21, 2000). "The push to develop an XML-based standard for moving security information across disparate online trading systems is moving under the umbrella of the standards body OASIS. The Organization for the Advancement of Structured Information Standards earlier this month set up a technical committee to create a single standard for security information -- including authentication, authorization and user profiles. The first meeting of the group will be on Jan. 9. Included in the technical committee are backers of two competing programs announced in November whose aim is to develop a standard based on XML (Extensible Markup Language). Netegrity Inc., of Waltham, Mass., is heading a drive to make its Security Services Markup Language, or S2ML, the defacto standard in the security information field. Company officials said this week that more than 200 companies have put their support behind the initiative. San Francisco-based Securant Technologies Inc. is pushing its AuthXML program, which has the support of more than 70 companies, some of whom also were involved in the S2ML program. Both initiatives were announced within days of each other. Netegrity officials said they and their partners approached OASIS about creating a technical committee, which was unveiled December 6. Netegrity officials hope to have another meeting in February and a final specification developed by the middle of 2001. The committee initially will use the S2ML initiative as the basis for its work. Securant officials already have issued a third version of the AuthXML specification and will bring that to the technical committee..."

  • [December 13, 2000] "Industry Must Embrace Combination of Open Web Access Standards for True Interoperability. No Single Standard Can Do It All." By Nand Mulchandani. December, 2000. Oblix position paper. "The document 'Industry Must Embrace Combination of Open Web Access Standards for True Interoperability' explores the various standards currently available, as well as those in various stages of ratification. On behalf of Oblix, Nand Mulchandani is a member of the proposal committees for S2ML (Security Services Markup Language) and AuthXML (authentication and authorization). Both proposed XML standards have been recently submitted to the Organization for the Advancement of Structured Information Standards (OASIS), an international consortium that advances electronic business by promoting open, collaborative development of interoperability specifications.... Adapting one universally accepted open standard has been offered up as the panacea for Internet interoperability issues. While the idea is appealing, it is not realistic. no single standard will solve all interoperability issues. Instead, a combination of different standards is required to produce true interoperability. For instance, two companies may agree on implementing the same XML data exchange format but will still not be able to interoperate if their XML Remote Procedure Call (RPC) mechanisms do not match. By defining such standards, enterprises are able to deploy infrastructure solutions that seamlessly span multiple companies without requiring each individual company to run proprietary, vendor-specific software. Oblix envisions open standards that will encompass identity, authentication, authorization, sessions, and transactions in a combination of XML and other evolving industry standards."

  • [December 01, 2000] "Security Services Markup Language (S2ML). VeriSign XML Trust Services. VeriSign S2ML White Paper. 9 pages. Fall 2000. "B2C and B2B transactions that take place between enterprises across the Internet have had no standard language for communicating authorization data that specifies what transactions or information a buyer, seller, or enterprise is permitted to access. The S2ML (Security Services Markup Language) specification developed by VeriSign with Netegrity and other vendors, solves this problem. It offers a vendor-neutral, open XML standard for enabling secure e-commerce transactions by describing authentication, authorization, and profile information, allowing businesses to exchange this data between customers, partners, or suppliers, regardless of the security systems or e-commerce platforms they have in place. Using standard XML toolkits instead of proprietary third-party software, developers can use S2ML to make trust information completely portable, travelling with XML documents for business transactions across multiple Web sites. In B2C applications, for example, users can sign on to a service and present digital certificates only once, and then travel across linked or affiliated Web sites without having to log on and re-authenticate... The S2ML architecture is built upon the use of Trust Assertions. At its simplest, a trust assertion is a standard format for expressing a statement that is intended to convey trust. Trust assertions extend and generalize the architecture set out in the XML Key Management Specification (XKMS). While traditional Public Key Infrastructures (PKIs) are designed to allow trusted statements to be made about the use of public keys, Trust Assertions allow trusted statements to be made on any subject, including financial transactions and authenticated data in addition to public keys. Trust Assertions are designed to compliment rather than replace digital certificates. While Trust Assertions may be used to replace an established X.509-based PKI, it is much more interesting to use them to support new applications that X.509 certificates were not designed to address..." See S2ML Resources from VeriSign - "XML Trust Services -- Enable portable authentication and authorization with S2ML." [cache]

  • [November 16, 2000] "Group seeks standard for secure online trading." By Jeffrey Burt. In eWEEK (November 16, 2000). "A group of high-tech software companies, led by B2B security software vendor Netegrity Inc., this week announced an initiative to develop an XML-based standard for ensuring security in online trading. The focus of Security Services Markup Language, or S2ML, is to create a single open standard for security data -- particularly customer authentication, authorization and entitlement, or privileges -- through XML documents. It's the second time in less than a week that an e-commerce security application vendor has proposed developing such a standard. Last Friday, Securant Technologies Inc. of San Francisco announced an industry working group to create AuthXML, another XML-based standard for Web security. The objectives of both initiatives are the same: to develop a standard way of identifying and authenticating customers as they move across trading partner Web sites and online exchanges. It would be good for businesses, which would be able to keep track of key customers and trading partners as they move through various Web sites. For customers, it would mean having secure access to multiple e-marketplaces and Web sites through a single sign-on. Concierge or armed escort? 'It allows a business to act as a personal concierge -- or, in a more dangerous world, an armed escort,' said Peter Lindstrom, senior analyst at the Hurwitz Group in Philadelphia. 'It creates a singular user experience through a single Web site.' Joining Netegrity, of Waltham, Mass., in its announcement were several heavy hitters in the B2B arena, including Commerce One Inc., Sun Microsystems Inc., Oracle Corp. and webMethods Inc. Others signing up included Bowstreet Inc., Jamcracker Inc. and VeriSign Inc...Other companies also are being invited to join the S2ML initiative. Although Netegrity executives said a key difference between their project and that of Securant was the presence of other companies, Lindstrom, the Hurwitz analyst, said he expects companies to quickly join Securant's effort as well."

  • [November 16, 2000] "Secure XML standard defined for e-commerce." By Brian Fonseca. In InfoWorld (November 15, 2000). "Backed behind some very diverse names, Netegrity announced plans on Wednesday to develop an XML-based standard to secure e-commerce transactions. Called Security Services Markup Language (S2ML), the standard seeks to build a common vocabulary for sharing us er information and transactions -- and encourage single-sign-on -- across multiple platform b-to-b (business-to-business) portal and b-to-c (business-to-consumer) environments, Bill Bartow, vice-president of marketing at Waltham, Mass.-based Netegrity, said. S2ML will be submitted to the World Wide Web Consortium (W3C) and OASIS (Organization for the Advancement of Structured Information Standards) for examination by December 15, 2000 Bartow said. Authors engaged in the S2ML specification include Bowstreet, Commerce One, Jamcracker, Sun Microsystems, VeriSign and webMethods. Reviewers of the definition are Art Technology Group, PricewaterhouseCoopers and Tibco Software. By recruiting representatives of the Java platform space, security, b-to-b, and managed services arena to collaborate on the new standard's design, S2ML will pay wide-reaching open standard dividends by being built directly into products, said John Pescatore, vice-president and research director at Stamford, Conn.-based Gartner. [Many clients] have a set of totally different rules, security rules, and business rules, trying to do the same thing in two different languages with no connection between them,' Pescatore said. 'XML seems a likely way to make a bridge between these two languages.' Pescatore said S2ML will be highly visible in 'hub and spoke' distributor type sites, citing Exxon Mobil or General Electric as examples of managing internal and distribution sites without needing proprietary language to share privileges and access rights information between disparate systems. He said it bears watching how some of the bigger guns on the market react to the new standard. 'There will be many competing approaches. The big guys ... haven't weighed in yet. They can really torpedo things and freeze anybody from moving on to this.' S2ML defines standard XML schemas and XML request/response protocol for authentication and authorization through XML documents, according to Bartow. The standard will support HTTP and SOAP (Simple Object Access Protocol) and b-to-b messaging frameworks including ebXML."

  • [August 07, 2000] "Directories Learn Sharing Is Good." By Rutrell Yasin. In InternetWeek (August 04, 2000). "As e-businesses use directory technology to give parners access to its systems, authorization -- the assigning of user privileges and rights -- becomes vital. Authorization is impossible without sharing of entitlement information. The problem is simple: There is no standard approach for partners' access management systems to do such sharing. That could change. Netegrity and Securant plan to submit separate specifications based on the Extensible Markup Language (XML) to standards bodies such as the World Wide Web Consortium (W3) and the Internet Engineering Task Force (IETF). Netegrity will be promoting XML-based middleware software for user authorization while Securant will push its AuthXML specification. 'A set of rules and methods -- or schema -- based on XML would enable an online stock trading firm, for example, to seamlessly share user privilege information with a partnering financial services firm that offers 401K investments, even if the companies use different server and access control systems,' said Eric Olden, Securant's chief technology officer. But not all vendors are endorsing XML as a common platform to maintain consistent security policies across different access management systems, however, and some of the naysayers are big names. Hewlett-Packard is looking to support both XML and Java. Tivoli, an IBM company, is supporting the Open Group's AznAPI authorization API. . . Tivoli also will support XML where it is practical for customers, said Bob Kalka, a product line manager for the Tivoli SecureWay unit. Kalka said that AznAPI supports both Web and legacy systems while products from Netegrity and Securant are Web-only solutions. AznAPI can plug into the SecureWay Policy Director to determine authorization rights for a messaging application such as IBM's MQSeries, without requiring code rewrites, he noted. While vendor-specific deployment of XML-based systems will give users some added value, user would prefer suppliers to work together on a standard." See also "Users Seek Unified Directory Answers," InternetWeek July 31, 2000, page 13. Cf. "DIF Directory Interoperability Proposal."

  • See also: "AuthXML Standard for Web Security."


Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation

Primeton

XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Globe Image

Document URI: http://xml.coverpages.org/s2ml.html  —  Legal stuff
Robin Cover, Editor: robin@oasis-open.org