OASIS steps up security agenda

OASIS is on tap to execute two high-profile moves this week that should bolster the standards consortium's growing influence within the nascent Web services security realm.

On Monday, OASIS (Organization for the Advancement of Structured Information Standards) announced that it has expanded its organization to include the PKI Forum as its newest Member Section.

In addition, OASIS could officially ratify the first version of SAML (Secure Access Markup Language) as early as Wednesday, accelerating adoption and cross-industry use of the authentication and authorization protocol, according to OASIS officials.

The marriage between OASIS and the three-year-old PKI Forum security advocacy group will allow OASIS to concentrate future development into the use of PKI as a vital and trusted cog to enable secure e-business transactions involving Web services applications, said Patrick Gannon, president and CEO of OASIS.

"We think by OASIS providing a home [for PKI Forum] it will increase confidence for organizations and companies in the deployment of PKI," said Gannon. "It will provide a way for people to view a more seamless adoption of PKI infrastructure and how that fits within the expanding e-business and Web services world."

Dogged by complexity, integration difficulties, and user apathy, PKI -- and vendors such as Entrust, RSA, and Baltimore Technologies that have championed the technology -- have discovered the buyer market to be unkind thus far. However, security experts see future promise for PKI by the assertion signing and management challenges Web services will pose.

"Most of these XML-based security protocols being developed [for Web services] talk about encryption, signing [and] assertions," said Gerry Gabel, analyst at The Burton Group, in Salt Lake City. "This cries out for team management and there may be a role for PKI to step out and actually provide value there.

"If they have a charter to expand the use of PKI, this seems like an obvious place to make this happen under the auspices of OASIS," he added.

However, Gabel said it remains to be seen if the security provider community can pull off the Herculean task of making customers forget about the failed history or shelf-ware remnants of PKI. To find success, he notes, PKI must be woven into the background of customers' security operations where they wouldn't have to install a certificate authority into a directory or have to create a certificate authority, or install any form of client software but rather have it bundled in with a larger security or application offerAccording to Gannon, members of the PKI Forum gain OASIS membership status and are eligible to contribute to technical work being done within the standards consortium. In turn, OASIS members can actively participate in PKI committee work. Gannon said OASIS will maintain PKI Forum's Web site and research at www.pkiforum.org.

Also this week, OASIS will count votes collected at the close of October to determine whether SAML 1.0 and its capability to exchange security objects in a standard format will be rubberstamped and ready for rollout. Although many security vendors already offer or are developing SAML-ready products and services, OASIS' release of the specification is important for any type of last-minute changes that may have occurred.

Mark Chanilau, senior product manager of XML technologies for Netegrity and Oasis charter member, said SAML 2.0 will be more "ambitious" in standardizing credentials -- an aspect removed from earlier versions of the protocol. Further, Chanliau said SAML 2.0 could include synchronized sessioning and a profile for SAML that defines how a SAML assertion is inserted into a WS-Security context.

Netegrity features two SAML-ready products, including TransactionMinder and SiteMinder.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Baltimore TechnologiesBurton GroupEntrustNetegrityOrganization for the Advancement of Structured Information Standards

Show Comments