SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors
NEWS
Cover Stories
Articles & Papers
Press Releases
CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG
TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps
EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
|
XML Key Management Specification (XKMS) |
Update 2009-03: This reference document is not actively maintained. For general information on several key management specifications and initiatives, see Cryptographic Key Management.
[April 06, 2004] W3C Releases Candidate Recommendations for XML Key Management Specification (XKMS 2.0). The W3C XKMS Working Group has addressed Last Call issues relating to the April 18, 2003 XKMS Working Draft and has now approved publication of Candidate Recommendations for XML Key Management Specification (XKMS 2.0) and XML Key Management Specification (XKMS 2.0) Bindings. The XKMS Candidate Recommendation period will last for at least six months in order for the WG to collect implementation feedback and evaluate implementation experience. This W3C Working Group was chartered to "to develop a specification of an XML application/protocol that allows a simple client to obtain key information (values, certificates, management or trust data) from a web service." The main Part-1 document "specifies protocols for distributing and registering public keys, suitable for use in conjunction with the standard for XML Signatures defined by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF), and the companion standard for XML encryption." XKMS Part-1 defines two service specifications. The XML Key Information Service Specification is a protocol designed "to support the delegation by an application to a service of the processing of key information associated with an XML signature, XML encryption, or other usage of the XML Signature <ds:KeyInfo> element." The XML Key Registration Service Specification is a protocol designed "to support the registration of a key pair by a key pair holder, with the intent that the key pair subsequently be usable in conjunction with the XML Key Information Service Specification or a Public Key Infrastructure (PKI) such as X.509. These protocols do not require any particular underlying public key infrastructure but are designed to be compatible with such infrastructures." XKMS Part-2 specifies protocol bindings with security characteristics for the XML Key Management Specification (XKMS) as defined in Part-1.
[December 10, 2001] W3C Announces Official XML Key Management Activity. The World Wide Web Consortium has announced the launch of its XML Key Management Activity, tasked with the development of "an XML application/protocol that allows a simple client to obtain key information (values, certificates, management or trust data) from a web service. Based upon the XML Key Management Specification (XKMS), the Activity is chartered to produce a companion Recommendation for the IETF/W3C XML Encryption and XML Digital Signature Activities. An initial working draft XML Key Management Specification (XKMS) defines "protocols for distributing and registering public keys, suitable for use in conjunction with the proposed standard for XML Signature (XML-SIG) developed by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) and an anticipated companion standard for XML encryption. The XML Key Management Specification (XKMS) comprises two parts: (1) the XML Key Information Service Specification (X-KISS) and (2) the XML Key Registration Service Specification (X-KRSS)." A recently-updated XML Key Management Requirements document presents "the design principles, scope and requirements for the XML Key Management specifications; it includes requirements as they relate to the key management syntax, processing, security and external requirements and coordination." [Full context]
[April 21, 2003] Last Call Working Drafts for W3C XML Key Management Specifications (XKMS). The W3C XML Key Management Working Group has released Last Call Working Drafts for XML Key Management Specification (XKMS) Version 2.0 and XML Key Management Specification (XKMS) Bindings Version 2.0. The specifications define protocols "for distributing and registering public keys for use with XML Signature and XML Encryption. The XKMS specification contains two parts: the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS). "These protocols do not require any particular underlying public key infrastructure (such as X.509) but are designed to be compatible with such infrastructures." X-KISS specifies a protocol "to support the delegation by an application to a service of the processing of key information associated with an XML signature, XML encryption, or other usage of the XML Signature <ds:KeyInfo> element." X-KRSS defines a protocol "to support the registration of a key pair by a key pair holder, with the intent that the key pair subsequently be usable in conjunction with the XML Key Information Service Specification or a Public Key Infrastructure (PKI) such as X.509 (PKIX). While the specification uses the terms 'trust' and 'policy' informally, it does not define semantics nor processing associated with either. Instead,it defines how a Validate Service returns information that has been validated according to external trust and policy specifications... the benefit of an XKMS Validate Service is that it provides a front end to different security and PKI technologies with their own particular semantics." The WG invites comments on the specifications until May 23, 2003.
[March 19, 2002] W3C XML Key Management Working Group Publishes XKMS 2.0 and X-BULK Working Drafts. The W3C XML Key Management Working Group has published three new working drafts. The XML Key Management Specification (XKMS 2.0) WD "specifies protocols for distributing and registering public keys, suitable for use in conjunction with the proposed standard for XML Signatures developed by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) and an anticipated companion standard for XML encryption. The XML Key Management Specification (XKMS) comprises two parts: (1) the XML Key Information Service Specification (X-KISS) is a protocol to support the delegation by an application to a service of the processing of Key Information associated with an XML signature, XML encryption, or other public key; its functions include the location of required public keys and describing the binding of such keys to identification information; (2) the XML Key Registration Service Specification (X-KRSS) is a protocol to support the registration of a key pair by a key pair holder, with the intent that the key pair subsequently be usable in conjunction with the XML Key Information Service Specification or higher level trust assertion service such as XML Trust Assertion Service Specification (XTASS). These protocols do not require any particular underlying public key infrastructure (such as X.509) but are designed to be compatible with such infrastructures." The Last Call XML Key Management (2.0) Requirements Working Draft "lists the design principles, scope and requirements for XML Key Management specifications and trust server key management implementations. It includes requirements as they relate to the key management syntax, processing, security and coordination with other standards activities." The XML Key Management Specification Bulk Operation (X-BULK) WD is the first X-BULK draft from the Working Group. X-BULK "extends the XML Key Management Specification (XKMS) protocol to encompass the bulk registration operations necessary for interfacing with such systems as smart card management systems. X-BULK is defined in terms of structures expressed in the XML Schema Language XML-Schema and web services description language (WSDL)." [Full context]
See also the Research Notes from the Verisign XML Trust Center:
XML Trust Assertion Service Specification (XTASS). The XML Trust Assertion Service Specification defines an architecture and retrieval protocol for 'Trust Assertions'. A Trust Assertion consists of a statement bound to a unique identifier that is cryptographically authenticated. Trust Assertions may be used to establish and manage long term trust relations between principals. The trust assertion architecture is designed to be extensible to support management of any form trust assertion. In particular assertions need not be bound to a public key infrastructure. A Trust Assertion may be bound directly to a document that represents or facilitates a financial transaction, for example bonds, equities and bills of lading. XTASS provides a generic framework for specifying information relevant to any form of trust assertion: (1) The identifier of the Issuer (2) The time instant of issue (3) Reissue location and scheduling Assertions may be addressed to a specific audience. Relying parties may be required to verify the status of an assertion before each use." See the text of the specification: X-TASS: XML Trust Assertion Service Specification, by Phillip Hallam-Baker (Draft Version 0.9: January 5th 2001, 26 pages). [cache]
XML Key Agreement Service Specification (XKASS). "The XML Key Agreement Service Specification (XKASS) describes an efficient means of key agreement in which an initiator and responder establish a shared secret if and only if they hold the keying information specified in their credentials by means of a single request and a single response. The high computational overhead of public key cryptography has been considered by some to be a prohibitive burden for many applications involving a high volume of queries against a central server. The computational overhead of executing a digital signature per transaction typically reduces throughput on a server by at least two orders of magnitude. Use of cryptographic acceleration hardware reduces but does not eliminate the impact of using public key cryptography. Such hardware tends to be expensive, especially if it is designed to provide a high degree of protection against disclosure of the private key. XKASS permits the key agreement operation to be separated from processing operations. This has both security advantages and operational advantages. Separating key agreement from operations allows cryptographic operations to be performed in a high security physical environment dedicated to cryptographic operations, thus eliminating the need for access by processing operations staff. Offloading cryptographic operations to separate hardware allows independent management of resources to adjust for demand. While processing requirements grow with the number of transactions, the requirement for key agreement scales with the number of active accounts..." See the text of the specification, X-KASS: XML Key Agreement Service Specification ((Draft Version 0.4, May 10, 2001, 28 pages) [cache]
XML Trust Axiom Markup Language (XTAML). "The XML Trust Axiom Markup Language (XTAML) defines SAML Trust Assertions that support the management of trust axioms. A trust axiom is analogous to a root certificate in a certificate based PKI. An important application of trust axioms is managing the trust relationship between a client and a trust service... XTAML is layered on the Security Assertion Markup Language (SAML). XTAML defines statement elements for specifying axiomatic and delegate keys and for asserting the validity status of another assertion. A new condition element is defined that makes the validity status of an assertion dependent on online verification. Two new advice elements are defined to allow an assertion to provide advice on the reissue of the assertion and for issue of related assertions... The XTAML specification is intended to complement other XML security standards and proposals, in particular XML Signature, XML Encryption, XML Key Management, and Security Assertion Markup Language (SAML)." See the text of the specification, XTAML: XML Trust Axiom Markup Language, by Phillip Hallam-Baker (Draft Version 0.12: October 17th 2001, 25 pages).[cache]
[March 30, 2001] W3C Publishes XML Key Management Specification (XKMS). The W3C has acknowledged receipt of a submission from VeriSign, Microsoft, webMethods, Baltimore Technologies, Citigroup, Hewlett-Packard, IBM, IONA Technologies, PureEdge, and Reuters Limited for the XML Key Management Specification (XKMS). The document "specifies protocols for distributing and registering public keys, suitable for use in conjunction with the proposed standard for XML Signature developed by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) and an anticipated companion standard for XML encryption. The XML Key Management Specification (XKMS) comprises two parts -- the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS). The X-KISS specification defines a protocol for a Trust service that resolves public key information contained in XML-SIG elements. The X-KISS protocol allows a client of such a service to delegate part or all of the tasks required to process <ds:KeyInfo> elements. A key objective of the protocol design is to minimize the complexity of application implementations by allowing them to become clients and thereby shielded from the complexity and syntax of the underlying PKI used to establish trust relationships. These may be based upon a different specification such as X.509/PKIX, SPKI or PGP. The X-KRSS specification defines a protocol for a web service that accepts registration of public key information. Once registered, the public key may be used in conjunction with other web services including X-KISS. Both protocols are defined in terms of structures expressed in the XML Schema Language, protocols employing the Simple Object Application Protocol (SOAP) v1.1 and relationships among messages defined by the Web services Definition Language v1.0 (WDSL)." [Full context]
[July 18, 2001] Baltimore Technologies Releases XKMS X-BULK Specification for Digital Certificates. Baltimore Technologies and its industry partners recently published a working draft XML Key Management Specification Bulk Operation (X-BULK). The new specification "extends the XKMS [XML Key Management Specification] protocol to encompass the bulk registration operations necessary for interfacing with such systems as smart card management systems. X-BULK is defined in terms of structures expressed in the [W3C] XML Schema Language and Web Services Description Language (WSDL). The specification enables the bulk issuance of digital certificates on devices such as smart cards, cable modems and next-generation wireless SIM cards. XKMS is designed to simplify the integration of enhanced Internet security features such as authentication, encryption and digital signatures into Web applications. The ability to have these features embedded in Internet applications and devices, and therefore `invisible' to the user, will be a key factor in mass adoption of the technology. However, proprietary interfaces between device factories and PKIs are currently limiting the ability for devices to be manufactured with digital certificates. The X-BULK extension to XKMS will eliminate these proprietary interfaces and replace them with an open, industry-backed interface. This will result in much speedier implementation times for financial institutions, wireless operators, enterprises and governments who are actively rolling out smart cards with PKI to enable a host of value added services aimed at increasing revenue and decreasing administration costs." [Full context]
[February 13, 2001] From the FAQ document: "XKMS is a proposed standard jointly developed by industry leaders. XKMS is designed to simplify the integration of PKI and digital certificates (which are used for securing Internet transactions) with XML applications. It is an open standard and stands for XML Key Management Specification. Developers can take advantage of XKMS to integrate authentication, digital signature, and encryption services, such as certificate processing and revocation status-checking, into applications in a matter of hours-without the constraints and complications associated with proprietary PKI software toolkits. With XKMS, trust functions reside in servers accessible via easily programmed XML transactions. Developers can enable applications to delegate all or part of XML digital signature processing to XKMS-compliant Web services, minimizing the complexity of the underlying PKI. XKMS is an open specification that has established broad industry support. It is currently in the process of submission to an internationaly recognized standards body. If the proposal for standardization is accepted it is likely that the process of standarization will take at least 12 months and the specification adopted is likely to differ from the original proposal in significant respects. XKMS defines XML-based transactions for managing public keys in support of digital signature and encryption functions (i.e., for authenticating business documents or fields therein, or for providing confidentiality for such documents or fields therein). S2ML defines XML-based transactions for conveying information regarding the privileges or entitlements of people or organizations between different sites (e.g., different service providers that, in combination, serve a particular customer)."
[November 30, 2000] From the specification's 'Executive Summary': XML Key Management Specification (XKMS). "This document specifies protocols for distributing and registering public keys, suitable for use in conjunction with the proposed standard for XML Signature developed by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) and an anticipated companion standard for XML encryption. The XML Key Management Specification (XKMS) comprises two parts -- the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS). The X-KISS specification defines a protocol for a Trust service that resolves public key information contained in XML-SIG elements. The X-KISS protocol allows a client of such a service to delegate part or all of the tasks required to process <ds:KeyInfo> elements. A key objective of the protocol design is to minimize the complexity of application implementations by allowing them to become clients and thereby shielded from the complexity and syntax of the underlying PKI used to establish trust relationships. These may be based upon a different specification such as X.509/PKIX, SPKI or PGP. The X-KRSS specification defines a protocol for a web service that accepts registration of public key information. Once registered, the public key may be used in conjunction with other web services including X-KISS. Both protocols are defined in terms of structures expressed in the XML Schema Language, protocols employing the Simple Object Application Protocol (SOAP) v1.1 [SOAP] and relationships among messages defined by the Web Services Definition Language v1.0 [WDSL]. Other compatible expressions are possible."
From the announcement: "VeriSign, Microsoft and webMethods Announce Breakthrough XML-based Specification to Enable Interoperable Digital Signatures and Encryption for B2B and B2C Transactions. New Open Specification to Accelerate Deployment of Secure E-Commerce Applications." - "VeriSign Inc., Microsoft Corp. and webMethods Inc. today introduced a breakthrough XML-based framework -- the XML key management specification (XKMS) -- to enable a broad range of software developers to seamlessly integrate digital signatures and data encryption into e-commerce applications. To accelerate the development of applications incorporating these advanced technologies, the XKMS specification -- jointly designed and prototyped by VeriSign, Microsoft and webMethods with industry support from other technology leaders -- was made publicly available today and will be submitted to the appropriate Web standards bodies for consideration as an open Internet standard. In addition, XKMS will be built into the Microsoft.NET architecture to ensure broad and rapid adoption of this framework in both B2B and B2C environments. The new XKMS specification revolutionizes the development of trusted B2B and B2C applications by introducing an open framework that enables virtually any developer to easily access applications from any public key infrastructure products and services. With the XKMS specification, developers are able to integrate advanced technologies such as digital signature handling and encryption into their web-based applications. The XKMS specification promotes the interoperability of advanced technologies because it is based on XML, a rapidly growing standard for application development. Currently, developers choosing to enable applications to handle digital keys for authentication and digital signatures are often required to purchase and integrate specialized toolkits from a Public Key Infrastructure (PKI) software vendor which only interoperate with that vendor's PKI offerings. Functions such as digital certificate processing, revocation status checking, and certification path location and validation are all built into the application via the toolkit. With the new XKMS specification, those functions are no longer built into the application but instead reside in servers that can be accessed via easily programmed XML transactions. The XKMS architecture, along with the recently drafted XML digital signature standards and the emerging XML encryption standard, provides a complete framework for ensuring broad interoperability across applications developed by enterprises, B2B exchanges and other Internet communities of interest. XKMS is also compatible with the emerging standards for Web Services Description Language (WSDL) and Simple Object Access Protocol (SOAP)..." [Announcement also from webMethods.]
VeriSign blurb: "To simplify the integration of PKI and digital certificates, the standard methods for securing Internet transactions, with XML applications, VeriSign, Microsoft, and webMethods have created the open XKMS (XML Key Management Specification). Developers can take advantage of XKMS to integrate authentication, digital signature, and encryption services, such as certificate processing and revocation status-checking, into applications in a matter of hours -- without the constraints and complications associated with proprietary PKI software toolkits. With XKMS, trust functions reside in servers accessible via easily programmed XML transactions. Developers can allow applications to delegate all or part of the processing of XML digital signatures and encrypted elements to VeriSign, minimizing the complexity of the underlying PKI..."
News, Articles, Papers
[January 29, 2004] "XML Security: The XML Key Management Specification. XKMS Helps Make Security Manageable." By Manish Verma (Second Foundation). From IBM developerWorks (January 27, 2004). "With an ever-increasing number of people and businesses relying on the Internet to exchange confidential and sensitive information, security has become a hot issue. Two security-related topics have gained significant importance: Ease of management: Making the security infrastructure's usage and integration with applications easy so that its adoption becomes widespread. Portable trust: After a trust relationship has been established with an entity, having a standard mechanism to transfer that trust to another cooperating entity. Single SignOn is a typical example of portable trust. After a user has been authenticated with a particular Web site, a standard mechanism passes that information to other cooperating sites that require the user's authentication information. This allows those sites to transparently share information about an entity without the need to request the same information from the entity again and again. For single sign-on to work, the entities must recognize each other's credentials. The XML Key Management Specification (XKMS) allows for easy management of the security infrastructure, while the Security Assertion Markup Language (SAML) makes trust portable. SAML provides a mechanism for transferring assertions about authentication of entities between various cooperating entities without forcing them to lose ownership of the information. This article discusses the role that XKMS plays in managing the security infrastructure, and provides a step-by-step guide to using XKMS... Often, good technologies fall by the wayside because they are cumbersome to use; in such cases, only a small devoted set of developers continue using the technology without it ever being adopted by average IT departments. PKI has been around for many years, but has not yet made it into typical IT departments. Now, XKMS provides an easy mechanism for using and integrating PKI with applications. In this article, I have explained the objectives of having an XKMS abstraction layer on various PKI solutions, and demonstrated how easy it is to use the XKMS service for registering and locating your key. In my next article, I will focus on explaining how to make this trust portable using SAML..." See also "Security Assertion Markup Language (SAML)."
[December 09, 2003] "Building a Security Infrastructure." By Rich Salz. From O'Reilly WebServices.XML.com (December 09, 2003). "In a previous column the author offered a rationale for XKMS as an important web service, looking at reducing the problem of implementing such a service to a reasonable size. Salz now builds the infrastructure necessary to develop and deploy an XKMS registration server that can issue certificates and which is intended for use within an enterprise. The server needs an SSL certificate and private key. Since it will be signing certificates for others, it will also need a CA certificate and private key; that is, a certificate that says it is allowed to create certificates. In this exercise he builds an enterprise-quality public key infrastructure, using one of the certificates to create a server that uses SSL..."
[November 25, 2003] "Developing a X-KRSS Web Service." By Rich Salz. From O'Reilly WebServices.XML.com (November 25, 2003). "In a previous column the author sketched out an alternative to WSDL. In an ongoing attempts to suggest useful ideas for others to implement, Salz now discusses an implementation of service for XKMS (XML Key Management Service). XKMS is W3C Last Call Working Draft that specifies protocols for distributing and registering public keys, suitable for use in conjunction with the proposed standard for XML Signature and XML Encryption. The XML Key Management Specification comprises two parts: the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS). Web services need end-to-end message integrity and privacy, which means that they need XML Digital Signature and XML Encryption. Those technologies, in turn, scale best when they use public key cryptography. Public key crypto needs a supporting infrastructure, PKI, to handle distribution and certification of keys, etc. PKI has historically been very expensive and unwieldy, and XKMS seems to be the last best chance to get a reasonable infrastructure so that we can sign and encrypt our web service messages. The XKMS spec isn't very big, and it covers a great deal and can really be seen as an enabling technology for general web services deployment..."
[September 09, 2003] "XKMS Does the Heavy Work of PKI." By Rich Salz (DataPower Technology). In Network World (September 08, 2003). "Public-key infrastructure is well suited for securing Web services, but PKI deployment is too cumbersome and costly for the technology to achieve widespread use. An upcoming standard from the World Wide Web Consortium aims to reduce the costs of PKI without sacrificing its benefits. XML Key Management Specification (XKMS) borrows the best of PKI without reducing scalability or security. XKMS creates a trust service that shields clients from complexity by providing an XML interface to PKI. The proposed standard is in the last-call phase with the W3C and several vendors are starting to develop XKMS toolkits and applications. PKI scales well because it does not require an online service such as Kerberos Key Distribution Center. Because Kerberos uses shared-secret cryptography, it's a likely target for hacker attacks. And because it contains so much sensitive information, it is usually not widely replicated, making it a potential single point of failure. PKI avoids both of these issues by using a set of public and private keys: Private keys are held only by an individual party; public keys can be distributed widely. With a PKI-secured message, an online service such as the KDC is not needed for any two parties to communicate securely. In addition, the ability to have a hierarchical key structure, and real-time analysis of the path through the hierarchy, makes it possible for parties to securely communicate without prior business arrangement. With XKMS, a client and application server share an XKMS service to validate each other and to process requests between them. XKMS replaces many PKI protocols and data formats, such as Certificate Revocation Lists, Online Certificate Status Protocol, Lightweight Directory Access Protocol, Certificate Management Protocol and Simple Certificate Enrollment Protocol, with one XML-based protocol. XKMS also can be implemented client-to-client, server-to-client, server-to-server... Traditionally, with PKI all trust decisions are offloaded to the crypto consumer. This requires complicated programming libraries and configuration information. For an example of this, look at the "trusted issuers" list in the security parameters section of your Web browser. With XKMS, trust decisions are given to a common server so they can be centralized and applied consistently across platforms. The only configuration information an XKMS client needs is the URL of the server, and the certificate the server will be using to sign its replies. Different trust models can be supported by using different URLs... Many XML Web services standards, including Security Assertions Markup Language and WS-Security , use digital signatures to protect the content of authentication and message data. Although it has not yet received the publicity that those specifications have received, XKMS might be the specification that makes Web services implementation feasible..."
[May 06, 2003] "XML Key Management (XKMS 2.0) Requirements." Edited by Frederick Hirsch (Nokia) and Mike Just (Treasury Board of Canada Secretariat, TBS). W3C Note 05-May-2003. Version URL: http://www.w3.org/TR/2003/NOTE-xkms2-req-20030505 Latest version URL: http://www.w3.org/TR/xkms2-req. Previous version URL: http://www.w3.org/TR/2002/WD-xkms2-req-20020318. "This document lists the design principles, scope and requirements for XML Key Management specifications and trust server key management implementations. It includes requirements as they relate to the key management syntax, processing, security and coordination with other standards activities... XML-based public key management should be designed to meet two general goals. The first is to support a simple client's ability to make use of sophisticated key management functionality. This simple client is not concerned with the details of the infrastructure required to support the public key management but may choose to work with X.509 certificates if able to manage the details . The second goal is to provide public key management support to XML applications that is consistent with the XML architectural approach. In particular, it is a goal of XML key management to support the public key management requirements of XML Encryption, XML Digital Signature, and to be consistent with the Security Assertion Markup Language (SAML). This specification provides requirements for XML key management consistent with these goals, including requirements on the XML key management specification, server implementations and the protocol messages. XML key management services will primarily be of interest to clients that intend to communicate using XML-based protocols bound to SOAP. It may be that such clients will not have sufficient ASN.1 capabilities in which case the benefits of offloading the parsing of certificates and other traditional PKI structures (e.g., CRLs or OCSP responses) is clear. Clients which possess such capabilities and have no preference to work with XML-based protocols may opt to use non-XML-based protocols defined by PKIX, for example..."
[December 10, 2002] "VeriSign Offers Open Source WS-Security Implementation and Integration Toolkit to Help Developers Integrate Security Into Web Services. Effort Continues VeriSign's Commitment to Driving Trusted Web Services With Royalty-Free Implementation." - "Furthering its commitment to trusted Web services, VeriSign, Inc., the leading provider of digital trust services, announced today the royalty free availability of technology that will allow companies to integrate digital signatures and encryption into Web services. Based on the recently announced WS-Security specification and Addendum, which was co-written by IBM, Microsoft and VeriSign, this implementation provides enterprises, software developers and systems integrators with code they can use to achieve higher levels of trust and security when designing Web services applications and services. Offering this code as open source is intended to accelerate widespread adoption of Web services by making them even easier to secure. In addition, VeriSign announced that it has made available a version of its VeriSign Trust Service Integration Kit (TSIK) with security features for Web services, such as XML Signature, XML Encryption, and XML Key Management Services (XKMS). VeriSign TSIK is a Java-based developer toolkit for integrating security capabilities into Web services. 'Companies simply will not implement Web services until the industry adequately addresses the issues of trust and security,' said Dr. Phillip Hallam-Baker, VeriSign's Principal Scientist and Web Services Security Architect. 'We are helping to address those critical issues by taking a leadership role in providing customers and developers with some extremely useful code that they can implement in their Web services applications today to alleviate those concerns'... VeriSign will provide an open source implementation of WS-Security through its open source libraries, providing resources for building interoperable, trusted Web services using the proposed WS-Security standard. The VeriSign libraries can be deployed to provide protocol support for both client and server applications. In a typical situation, a Web service will rely on these libraries to add secure messaging to whatever business logic the Web service supports. The Trust Service Integration Kit includes three basic components: the messaging framework, the trust layer and XML resources. (1) The messaging framework brings together various VeriSign Application Programming Interfaces (APIs) to provide a robust environment for developing secure, trusted, interoperable Web services. The Java libraries enable developers to create Java objects for sending and receiving XML messages in conjunction with a customer Web service API. (2) The trust layer provides APIs for security XML messages using public key infrastructure (PKI), and includes implementations of two key specifications, W3C XML Digital Signature and XML Encryption. These implementations emphasize ease-of-use over feature coverage... The Trust Verifier provides several mechanisms, including real-time XML Key Management Specification (XKMS) lookups, for establishing whether a public key or certificate chain is trusted. (3) The API also includes low-level resources for directly manipulating XML, building data types, navigating through document structures, validating the format of schemas and interfacing with parsers..."
[September 18, 2002] "XML-Style PKI. Does XKMS Have the Key?" By Jon Udell. In InfoWorld Issue 37 (September 13, 2002), pages 1, 16. ['The XML Key Management Specification offers hope of freeing developers from the pit of PKI despair. XKMS addresses one of the chief obstacles to workable Web services security: the complexity of Public Key Infrastructure. The problems are bigger than XKMS can solve, but it takes important steps in the right direction. XKMS has lots of right ideas: minimal client footprint, service-oriented architecture, DNS integration, and trust-provider agnosticism. The emerging model of Web services could benefit from all these things, but the road to XKMS adoption is tarred with inertia.'] "In discussions about Web services security, a large elephant enters the room: Public Key Infrastructure. PKI is a foundation of the trust services to which the SAML (Security Assertions Markup Language) and Liberty Alliance specifications refer. It also enables the signing and encryption of parts of documents as described by the WS-Security spec. Long before the Web services revolution began, PKI deployment and use was lagging behind expectations. E-commerce drove the adoption of server-side certificates, but client-side certificates, which can authenticate users to Web sites as well as sign and encrypt e-mail, never caught on. The emerging end-to-end style of Web services is going to force the issue. Channel security (that is, an HTTPS connection) won't be flexible enough for business documents that route through a chain of intermediaries, each responsible for signing, encrypting, or validating parts of those documents. Granular, item-level security is coming, and that's going to require more cryptographic keys, more certificate chains, and more people who know how to make all this stuff work... Nobody pretends there is an easy way out of the dilemma. Nevertheless, the XKMS (XML Key Management Specification), originally sponsored by VeriSign, Microsoft, and webMethods, takes important steps in the right direction. First and foremost, it pushes the logic of finding and validating certificates out of the client and into the cloud. XKMS is a Web service; if clients of that service can shed hard-coded certificate-processing logic, it will help in several ways. Mobile devices, in particular, could be streamlined. As VeriSign principal scientist Phillip Hallam-Baker points out, certificate processing is unwieldy both in terms of code (about 750KB) and data (VeriSign's Certificate Revocation List has grown to 3MB). Everyone would benefit from the dynamic nature of the service-oriented approach. In addition to insulating clients from these kinds of flaws, XKMS promises to shield them from the vicissitudes of normal PKI evolution -- for example, the shift from batch-mode certificate checking using certificate revocation lists to real-time checking using the OCSP (Online Certificate Security Protocol). What XKMS doesn't do is offload core cryptographic operations, including key generation and signing, from the client... XKMS is abstract enough to support alternative certification schemes such as PGP's (Pretty Good Privacy) Web of trust, or the linked local namespaces of SPKI/SDSI (Simple Public Key Infrastructure/Simple Distributed Security Infrastructure, or 'spooky/sudsy'), an idea that influenced the design of Groove. These systems enable natural bottom-up trust, arising from ordinary discourse, as opposed to synthetic top-down trust rooted in institutional authorities..."
[March 22, 2002] "Cyclone Commerce Unveils New Open Business Connections Suite. Cyclone First To Deliver Web Services With Built-In Security, and Inherent Support For ebXML and XKMS." - "Cyclone Commerce, the leading provider of solutions that help companies 'simply connect' to their trading partners over the Internet, today unveiled the latest version of its software suite, Cyclone Open Business Connections. The new version builds upon Cyclone's historical commitment to support every security protocol and industry standard available, while delivering new Web services capabilities that allow companies to ramp, manage and monitor their trading communities more securely and efficiently than ever before. The new Open Business Connections suite delivers: (1) An inherently secure Web services platform, to reduce deployment costs and mitigate the risks of eBusiness; (2) Full support for the XKMS protocol, to provide built-in security for Web services applications; and (3) Inherent support for ebXML, to bring consistency and unification to business processes and transactions...In addition to new Web services and security capabilities, the new Open Business Connections suite builds upon Cyclone's commitment to ensure interoperability by supporting all security protocols and every major standard available. This ensures that companies can quickly build connections with their trading partners without requiring any company to change their IT infrastructure. Cyclone has long supported numerous standards including RosettaNet, EDI, AS1/AS2, File Transfer Protocol, Simple Mail Transfer Protocol, JMS and MQSeries. In addition, Cyclone provides security connectors that include Entrust, PKCS, RDB, RSA-J, Secure Multipurpose Internet Mail Exchange and VeriSign standards."
From the Verisign XML Trust Center. Verisign Trust Web Services and Microsoft's .Net Framework. A Framework for Building Web Services Clients. Resources include: (1) Building an XKMS Client using the .Net Framework, by Sebastien Pouliot; (2) Signing using the .Net Framework; (3) XML Encryption application [for those interested in C#: a simple XML Encryption application created in the Visual Studio .Net.]
[May 19, 2001] W3C XML Key Management Services Workshop. W3C has announced a call for papers and registration in connection with a workshop on XML Key Management Services, to be held July 19, 2001 in Redwood City, California. The goal of the workshop is "to consider the requirements for simple key resolution and trust services for XML security applications, the degree to which the XKMS specification satisfies those requirements, and to determine if there is sufficient focus and interest to propose a W3C activity in this area." The workshop will focus upon 'questions of key trustworthiness' which hitherto have not been in scope for W3C activities under the XML Signature and XML Encryption work. The workshop organizers believe the broader questions of trust not yet fully accounted for in W3C activity, including confidence in a key, "are critical to secure XML applications, reliable XML protocols and trusted Web services. Topics likely to be discussed at this workshop include: (1) XML Security application key management requirements (2) Dependencies upon XML Protocol, Web services, XML Query, Semantic Web, and transport protocols [e.g., HTTP]; (3) Security considerations resulting from a specification; (4) The scope of any resulting W3C Activity." Workshop attendance will be limited to forty-five (45) participants, based upon the quality of position papers submitted and [preference for] membership in a W3C Working Group. [Full context]
[April 12, 2001] XKMS Trust Services Specification Receives Broad Declaration of Industry Support. At the RSA Conference 2001 (San Francisco, April 8 - 12), a "groundswell of industry support for the XKMS specification" was interpreted as mandate for a second-generation PKI [Public Key Infrastructure] Standard. VeriSign, Microsoft, webMethods, Baltimore Technologies, Hewlett-Packard Company, International Business Machines Corp., IONA, PureEdge, and Reuters all offered endorsements for the XML Key Management Specification (XKMS), recently accepted as a submission by W3C. VeriSign introduced its '2nd-Generation XML toolkit' as a public key infrastructure (PKI) service; Entrust Technologies announced a 'Web Services Trust Framework' for trust relationship management along with a new XML-based solution for smart card manufacturing. The XKMS specification "revolutionizes the development of trusted applications by introducing an open framework that enables virtually any developer to easily incorporate trust services directly into the application. Currently, developers must enable desktop and e-commerce applications to handle digital keys for authentication and digital signatures via the use of toolkits offered by a range of software vendors. Functions such as digital certificate processing, revocation status checking and certification path location and validation do not always interoperate with all vendors' PKI offerings. With the new XKMS specification, those functions instead reside in servers that can be accessed via easily programmed XML messages. By deploying applications within the XKMS framework, enterprises can gain broad interoperability, rapid time-to-market, significant cost savings, and scalability across intranet, extranet, and Internet commerce applications - benefits unattainable with proprietary PKI software. XKMS is compatible with the emerging standard for XML digital signatures. Designed to be implemented as a Web service, XKMS is built upon Web Services Description Language (WSDL) and Simple Object Access Protocol (SOAP). It is anticipated that future versions of the XKMS specification will be compatible with XML encryption and XML protocol." [Full context]
[June 06, 2001] "Securing Web Services using the Java Platform and XML." By Andrew Brown, Loren Hart, and Monica Pawlan. From Java Developer Connection. June 15, 2001. "In today's fast-moving world of e-commerce and information technology, savvy companies realize that to stay competitive they have to make their products and services available over the Internet. Application-to-application cooperation and communication where one company needs the products or services of another to conduct business is at the core of Web-based business-to-business communications. To enable smooth, reliable, secure, and standardized cooperation and communication, more and more companies are taking advantage of Web services. Initiatives like the Universal Discovery, Description, and Integration (UDDI) specification define ways to discover and integrate Web-based services from all over the world. Sun Microsystems with its new Web services strategy is no exception especially given that its platform-independent and versatile Java technology is ideal for developing Web services... a Web service might be made up of companies (providers) in the same business sector who create software standards for setting up services to buy and sell parts. A Web service architecture is made up of providers who publish the availability of their services; brokers who register and categorize provider services and make search engines available; and requesters who use brokers to find a provider service. Web service providers need a communication standard and a way to verify the identity of companies and individuals with whom they are doing business. Extensible Markup Language (XML) has become the communication standard and Public Key Infrastructure (PKI) the verification standard. This article describes an example scenario where companies cooperate and communicate over the Internet to buy and sell parts. It also presents an example program written in the Java programming language that uses VeriSign's Trust Web service, an implementation of the XML Key Management Specification, to do cryptographic key management over the Internet using XML messaging... The XKMS specification is open, which means any company can implement an XKMS service and count on full interoperability. To encourage developers to begin using these new Web services, VeriSign has sponsored a site devoted to XML Trust Services, called the XML Trust Center, where developers can find the Java implementation of the XKMS client API. The XKMS client API includes an implementation of the XML Digital Signature specification, which provides API packages for digitally signing XML documents. An application can use Java APIs to generate cryptographic key pairs and use XKMS APIs to register those keys with an XKMS service. Public-private key pairs are registered with an XMKS service by sending the proper information about the keys in an XKMS XML message. This combination of APIs and services lets applications offload all key management operations, including key revocation in the event a key is compromised, and key recovery in the event a key is lost..."
[May 08, 2001] "Vordel's TalkXML to support Trust Infrastructure management standard - XKMS." - "Vordel, a leading provider of solutions for secure business communications today announced that future releases of its TalkXML product will support the XML key management specification (XKMS). Vordel is the leader in the development of secure xml-based applications that interoperate with all of the leading public key infrastructures worldwide. XKMS is designed to simplify application development by providing an XML-based framework for digital certificate verification. This framework is suitable for use in a web services architecture in which digital certificate processing is performed on a server optimized for cryptography, and accessed through the Simple Object Access Protocol (SOAP) protocol. Chief Technology Officer at Vordel, Mark O'Neill, explained. 'Vordel has pioneered the development of secure XML-based data transactions and this latest advancement simplifies the integration of security solutions. Because TalkXML is standards based and supports all of the leading PKI solutions our product will be able to interoperate with certificates from any vendor and thus provide customers with a complete solution for the verification and management of certificates from any of their trading partners,' continued O'Neill. XKMS provides a sound framework for the verification of a user's digital certificate identity, according to Derek O'Carroll, VP of Business Development at Vordel. 'Providing this framework for trust will facilitate the provision of interoperable, trusted, Web-based products and services that are based on XML,' O'Carroll said. 'The ability for different companies to communicate securely over the Internet with or without human intervention is the key to successful inter-enterprise integration.' The TalkXML suite from Vordel easily facilitates secure data transmission using digital certificates over public or private networks, and between new and existing systems. TalkXML immediately raises the bottom line of any business by allowing existing systems and people to communicate securely using XML. TalkXML secures business communications, and extracts additional value from existing IT infrastructures by allowing inter-enterprise integration." See also from 2001-04-30: "Vordel announces world first for secure wireless XML transactions."
[April 11, 2001] Microsoft Issues XML Web Services Announcements. Microsoft Corporation has made "a number of product and industry announcements at different events dedicated to XML Web Services. In keynote presentations at XML DevCon Spring 2001 in New York City and at Web Services World and the W3C Workshop on Web Services in San Jose, Calif., Microsoft executives debuted a new SOAP Toolkit, announced native SOAP support for the Microsoft Windows XP operating system, invited SOAP developers to an interoperability event, confirmed acceptance of the jointly authored XML key management specification (XKMS) digital certificate specification by the World Wide Web Consortium, and presented a road map for future XML Web Services directions to the W3C Workshop on Web Services. The updated version 2.0 SOAP Toolkit provides full support for SOAP 1.1 and the Web Services Description Language (WSDL). With the new Toolkit, developers can build high-performance, commercial-quality XML Web Services or add such capabilities to any existing application that supports the Component Object Model (COM). In addition to the stand-alone Toolkit, Microsoft also announced that Windows XP would have native support for SOAP, simplifying the efforts of developers building XML Web Services on Windows XP and ensuring that customers will be able to utilize such services easily. Just as Windows 2000 was the first operating system with native XML support, Windows XP is expected to be the first in the industry with native SOAP support. Microsoft also announced its sponsorship of several upcoming interoperability events to ensure the highest level of industry compatibility around SOAP 1.1." Microsoft is supporting the XKMS specification, recently acknowledged by W3C as a submission; the specification "helps enterprises and developers use Public Key Infrastructure (PKI) digital signatures and encryption with XML Web Services." [Full context]
[November 25, 2000] XML Key Management Specification (XKMS). By VeriSign, Microsoft, and WebMethods. Comments to: Phillip Hallam-Baker, Senior Author. Draft Version 1.0: November 27, 2000. 55 pages. "This document specifies protocols for distributing and registering public keys, suitable for use in conjunction with the proposed standard for XML Signature developed by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) and an anticipated companion standard for XML encryption. The XML Key Management Specification (XKMS) comprises two parts -- the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS). The X-KISS specification defines a protocol for a Trust service that resolves public key information contained in XML-SIG elements. The X-KISS protocol allows a client of such a service to delegate part or all of the tasks required to process <ds:KeyInfo> elements. A key objective of the protocol design is to minimize the complexity of application implementations by allowing them to become clients and thereby shielded from the complexity and syntax of the underlying PKI used to establish trust relationships. These may be based upon a different specification such as X.509/PKIX, SPKI or PGP. The X-KRSS specification defines a protocol for a web service that accepts registration of public key information. Once registered, the public key may be used in conjunction with other web services including X-KISS. Both protocols are defined in terms of structures expressed in the XML Schema Language, protocols employing the Simple Object Application Protocol (SOAP) v1.1 [SOAP] and relationships among messages defined by the Web Services Definition Language v1.0 [WDSL]. Other compatible expressions are possible." [cache]
XML Key Management. XML Trust Services." VeriSign white paper. "XML Trust Services -- a four-component suite of open specifications for application developers developed in partnership with industry leaders including Microsoft, Ariba, webMethods, and Netegrity -- makes it easier than ever to integrate a broad range of trust services into B2B and B2C applications. XML complements Public Key Infrastructure (PKI) and digital certificates, the standard method for securing Internet transactions... XKMS describes mechanisms that allow XML-aware applications to easily leverage public-key infrastructure in support of digitally signed and/or encrypted XML documents. The primary objective is to allow a user of a public key -- when used to verify a digital signature or encrypt data -- to locate the required key and to associate naming or attribute information with the holder of the corresponding private key. There are two major subparts of the XML Key Management Specification: (1) Central to the XML Trust Infrastructure is the XML Key Information Service Specification (X-KISS), which defines protocols to support the processing, by a relying party, of Key Information associated with a XML digital signature, XML encrypted data, or other public key usage in an XML-aware application. Functions supported include locating required public keys given identifier information, and binding of such keys to identifier information. (2) The XML Key Registration Service Specification (X-KRSS) defines protocols to support the registration of a key pair by a key pair holder, with the intent that the key pair subsequently be usable in conjunction with the XKMS..." [cache]
VeriSign 'XML Trust Services' - "XML Trust Services -- four-component suite of open specifications for application developers developed in partnership with industry leaders including Microsoft, Ariba, webMethods, and Netegrity -- make it easier than ever to integrate a broad range of trust services into B2B and B2C applications. (1) XML Key Management Specification (XKMS): Efficiently integrate digital signatures and encryption. (2) Security Services Markup Language (S2ML): Enable portable authentication and authorization. (3) XMLPay: Provide secure e-commerce payment processing. (4) Extensible Provisioning Protocol (EPP): Provide streamline domain name registration..."
[February 15, 2001] "Perfect for Each Other. XML and PKI Together May Boost Trust in Online Marketplaces." By Michelle Nichols. In Intelligent Enterprise Volume 4, Number 3 (February 16, 2001), pages 10-11. "Some marriages seem meant to be: Extensible Markup Language (XML) is becoming the lingua franca of e-commerce; digital signatures offer companies a faster, cheaper method of conducting secure online transactions. VeriSign Inc., Microsoft, and WebMethods Inc. are the matchmakers bringing these two technologies together. These companies all have a stake in raising the level of trust in online transactions: MountainView, Calif.-based VeriSign plays a significant role in the growing acceptance of digital signatures; WebMethods, based in Fairfax, Va., helps companies set up business-to-business (B2B) marketplaces; and Microsoft's .Net architecture and BizTalk server are largely targeted at online marketplaces. For these marketplaces to mature and become more popular, businesses must be confident that transactions are legally enforceable and verifiable. Digital signatures, which have the backing of federal law, can verify identities on both sides of the transaction and the content of the transaction itself. But adopting a public key infrastructure (PKI) framework, the basis of many digital signature technologies, is not simple and can be expensive. But help may be on the way: Microsoft, VeriSign, and WebMethods recently introduced the XML key management specification (XKMS), which they believe will simplify integrating digital signatures and data encryption with Web applications. They also hope to speed development of applications using these technologies by making XKMS publicly available and submitting the specification to Web standards bodies for consideration as an open Internet standard. The companies assert that the XKMS spec, along with the recently drafted XML digital signature standards and the emerging XML encryption standard, can provide an open framework for interoperability across applications. (Microsoft plans to include XKMS in its .Net architecture.) XKMS is also compatible with the emerging standards for Web services description language (WSDL) and simple object access protocol (SOAP)..."
[February 13, 2001] XKMS Mailing List and Interest Group Meeting. Philip Hallam-Baker (VeriSign, Inc.) posted an announcement for a new mailing list to support the work of anyone interested in the development/interoperability/standardization of XKMS. The "XML Key Management Specification (XKMS)" specification defines protocols "for distributing and registering public keys, suitable for use in conjunction with the proposed standard for XML Signature developed by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) and an anticipated companion standard for XML encryption." An XKMS interest group meeting will be held in Cambridge MA on March 01, 2001, coordinated with meetings of the W3C XML Encryption Working Group [the March 1st XML Encryption FTF] and the OASIS XML Security Services Technical Committee. [Full context]
[November 30, 2000] "VeriSign, Microsoft and webMethods Announce Breakthrough XML-based Specification to Enable Interoperable Digital Signatures and Encryption for B2B and B2C Transactions. New Open Specification to Accelerate Deployment of Secure E-Commerce Applications." - "VeriSign Inc., Microsoft Corp. and webMethods Inc. today introduced a breakthrough XML-based framework -- the XML key management specification (XKMS) -- to enable a broad range of software developers to seamlessly integrate digital signatures and data encryption into e-commerce applications. To accelerate the development of applications incorporating these advanced technologies, the XKMS specification -- jointly designed and prototyped by VeriSign, Microsoft and webMethods with industry support from other technology leaders -- was made publicly available today and will be submitted to the appropriate Web standards bodies for consideration as an open Internet standard. In addition, XKMS will be built into the Microsoft.NET architecture to ensure broad and rapid adoption of this framework in both B2B and B2C environments. The new XKMS specification revolutionizes the development of trusted B2B and B2C applications by introducing an open framework that enables virtually any developer to easily access applications from any public key infrastructure products and services. With the XKMS specification, developers are able to integrate advanced technologies such as digital signature handling and encryption into their web-based applications. The XKMS specification promotes the interoperability of advanced technologies because it is based on XML, a rapidly growing standard for application development. Currently, developers choosing to enable applications to handle digital keys for authentication and digital signatures are often required to purchase and integrate specialized toolkits from a Public Key Infrastructure (PKI) software vendor which only interoperate with that vendor's PKI offerings. Functions such as digital certificate processing, revocation status checking, and certification path location and validation are all built into the application via the toolkit. With the new XKMS specification, those functions are no longer built into the application but instead reside in servers that can be accessed via easily programmed XML transactions. The XKMS architecture, along with the recently drafted XML digital signature standards and the emerging XML encryption standard, provides a complete framework for ensuring broad interoperability across applications developed by enterprises, B2B exchanges and other Internet communities of interest. XKMS is also compatible with the emerging standards for Web Services Description Language (WSDL) and Simple Object Access Protocol (SOAP)..."
[November 30, 2000] "Microsoft, Others Offer XML-Based Eencryption Scheme." By Tom Sullivan and James Evans. In InfoWorld (November 29, 2000). Microsoft, Verisign, and webMethods on Wednesday introduced a security specification that works to simplify the integration of PKI (public key infrastructure) and digital certificates with XML applications. The three companies have released the specification, dubbed XKMS (XML Key Management Specification), and will submit it to the appropriate Web standards bodies for consideration as an open Internet standard, the companies said in a statement. Without XKMS, applications are required to understand the guts of the PKI architecture, which works fine if the applications are PKI-aware, according to John Pescatore, research director for Internet security at Gartner Group in Stamford, Conn. But for applications that are not PKI-aware, such as a variety of forms applications, databases, and transaction processing, XML is a way to avoid having to work with PKI. Pescatore maintains that XKMS won't chase away PKI-related standards such as PKIX, the combination of PKI and X.509 certificate standards, anytime soon, though. 'XKMS will still be an alternative to PKIX because with XML, users have to agree on schemas and different trading communities will use different schemas,' he said. Unlike PKI, XKMS is designed to let developers integrate authentication, digital signature, and encryption services -- such as certificate processing and revocation status-checking -- in Web-based applications. This will allow developers to avoid using proprietary software toolkits from PKI software vendors, according to the companies. The specification works with trust functions residing on servers, accessible via programmed XML transactions. XKMS is compatible with standards for WSDL (Web Services Description Language) and SOAP (Simple Object Access Protocol). Basing the specification on XML and SOAP inserts security at the language level..."
[November 30, 2000] "XML Specification Introduced." By George V. Hulme. In CommmWeb (November 30, 2000). "With the hope of allowing easier integration of digital certificates and data encryption into E-commerce applications, VeriSign, Microsoft, and WebMethods have introduced the XML Key Management Specification. Companies trying to implement public key infrastructure in their E-business applications often run into a brick wall, says John Pescatore, Gartner Group research director. 'Most of these applications don't have PKI built in, and that means you have to invest to build PKI smarts into every application.' Hurwitz Group security analyst Pete Lindstrom agrees, saying it makes good sense to utilize the Extensible Markup Language to help companies tackle the difficult tasks of digital signature processing, revocation status checking, and certification path location and validation..."
[December 01, 2000] "Microsoft, VeriSign Team on E-commerce Security." By Melanie Austria Farmer. In CNET News.com (November 29, 2000). "Microsoft, VeriSign and WebMethods said Wednesday they have developed technology designed to make it easier to use digital signatures and other online security tools with e-commerce applications. The software trio is aiming to make the new technology, called the XML (Extensible Markup Language) key management specification (XKMS), a standard. The technology is intended to help programmers easily add digital signatures and data encryption to their e-commerce applications. Security software like digital signatures, online authentication and data encryption help secure contracts and transactions carried out on popular online marketplaces and other e-commerce sites. The companies said XKMS is available Wednesday and they intend to submit it to the appropriate Web standards bodies for consideration as an open Internet standard. Online security is becoming increasingly important to companies that intend to build their business over the Internet, especially with the sudden boom of online marketplaces. Both Fairfax, Va.-based WebMethods, which assists companies in setting up business-to-business online marketplaces, and Microsoft, based in Redmond, Wash., have been active in the growing industry. 'A new standard for the XML-based trust services architecture will enable trust through stronger authentication and will ultimately help deliver XML's promise of expanded e-commerce across the board,' Jeremy Epstein, principal security architect at WebMethods, said in a statement. With the XKMS specification, software developers will be able to combine some of these newer technologies, like digital signatures, into their Web-based applications, the companies said. Analysts say that by having a standard such as XKMS in place, companies will have the potential to speed the process of finalizing an online contract or completing a transaction by being able to accept a legitimate signature electronically, as opposed to sending a fax with a handwritten one. Meta Group analyst David Thompson said that for the most part, companies have put online security on the back burner, choosing first to iron out other concerns such as gaining marketplace participants and determining which sites to join."
[November 30, 2000] "Microsoft backs XML security spec." By John Geralds. From VUNET.COM (November 30, 2000). "Microsoft has teamed up with software partners VeriSign and WebMethod to launch a specification aimed at simplifying digital signatures used in ecommerce applications. To ease the integration of public key infrastructure (PKI) and digital certificates, the three companies have created the XKMS spec (XML Key Management Specification) which they say makes it easier for programmers to create online applications with digital signatures. Currently, developers are required to buy and integrate specialised toolkits from a PKI software vendor. These toolkits only interoperate with that vendor's PKI offerings. But developers can use XKMS to integrate authentication, digital signatures and encryption services, such as certificate processing and revocation status checking, into applications. Warwick Ford, chief technology officer at VeriSign, said: 'For the next generation of ecommerce applications to truly support high-value transactions, the handling of digital keys for online authentication, digital signatures and data encryption must be simple to integrate, and must interoperate across a broad range of enterprise applications.' The specification works with trust functions residing on servers and accessible through programmed XML transactions. XKMS is also compatible with emerging standards for web services description language (WSDL) and simple object access protocol (Soap). The specification will be submitted to the appropriate web standards bodies, and Microsoft said XKMS will be integrated into its .Net architecture. Analysts said that by having a standard such as XKMS it will be possible for companies to accelerate the process of finalising an online contract or completing a transaction by having the capability to accept a legitimate signature electronically..."
[November 30, 2000] "VeriSign Introduces New Suite of XML Specifications for Seamless Links to Web Identity, Online Authentication, Authorization and Payment Services. Enterprise Developers, B2B Exchanges and Independent Software Vendors to Benefit from Open, Interoperable Internet Trust Infrastructure." - "VeriSign, Inc., a leading provider of Internet trust services, today announced a range of XML-based specifications and services designed to enable enterprise developers, B2B exchanges, independent software vendors (ISVs) and service providers to link their applications seamlessly to Web identity, online authentication, authorization, digital signature, encryption and payment services. These specifications are being introduced in conjunction with today's public release of the XML Key Management Specification (XKMS) by VeriSign, Microsoft and webMethods. The new XML specifications are designed to work with VeriSign's existing Web identity, authentication, payment and validation services and greatly simplify interoperability of e-commerce transactions. In addition to the new XKMS specification announced today by VeriSign, Microsoft and webMethods, VeriSign has also developed a suite of XML specifications for Web identity management, online authorization and payment processing: (1) Provisioning of Web Identity Services -- To assist domain name registrars and others in accessing VeriSign's global registry data faster and easier, VeriSign has developed the Extensible Provisioning Protocol (EPP) to support an XML-based management utility for vendors of online identity services. EPP will enable VeriSign's accredited registrar partners to sell domain names, telephone numbers and future identification assets through a new extensible protocol. This protocol will allow for greater sharing of information and flexibility as new identification technologies gain acceptance. The EPP specification has been submitted to the Internet Engineering Task Force (IETF) for consideration as an Internet standard. (2) Authorization Across E-Business Platforms with S2ML -- VeriSign is working with multiple industry partners, including Netegrity, to develop S2ML, a common language for sharing authentication and authorization services through XML documents. This standard is compatible with XKMS and enables interoperability between security systems or infrastructure systems that need to communicate about information such as authentication, authorization and profile information. S2ML is designed to work with multiple XML document exchange protocols and frameworks such as SOAP, OAG, MIME, Biztalk, and ebXML. (3) Payment Specifications for both B2B and B2C Applications -- VeriSign's XML Pay is an XML specification for payment requests and responses in a distributed, web-based payment transaction environment. The typical user of XML Pay is an Internet merchant or merchant aggregator who wants to dispatch consumer credit card, debit card, corporate purchase card, automated clearinghouse (ACH), or other payment requests to a financial processing network. Users can create an XML Pay client payment request and dispatch it to an associated XML Pay-compliant server. Responses are formatted in XML and convey the results of the payment requests to the client. XML Pay also helps businesses secure and gain intelligence from their transactions since it supports digital certificate-based identification and authentication, digital certificate-based identification and authentication, digital signatures, and the generation and archiving of digital receipts..."
See also: "XML Digital Signature (IETF/W3C)"
|
| Receive daily news updates from Managing Editor, Robin Cover.
|
|