A dozen vendors Wednesday said they will produce a security specification for XML to help XML-based applications share user authentication and authorization information across online supply-chain environments or trading exchanges.
These industry backers say the specification, called the Security Services Markup Language - or S2ML for short - is nearly complete, and they expect to soon submit the technology as a proposed standard to the World Wide Web Consortium (W3C) and Oasis, an organization working on XML technical and business issues. Backers of the S2ML spec include Netegrity Inc., Sun Microsystems Inc., WebMethods Inc., VeriSign Inc., Art Technology Group, PricewaterhouseCoopers LLP, Tibco Software Inc., Jamcracker Inc., Bowstreet Software Inc. and Commerce One Inc., among others.
"S2ML is intended for use in e-commerce where companies distribute transactions across sites, such as exchanges or supply-chain hubs," said Bill Bartow, vice president of marketing at Netegrity, which provide Web-access and control software. "How do companies that have completely different platforms exchange information about authenticated users and authorization? We think S2ML address this barrier."
Dave Hofert, senior marketing manager at Sun's XML Technology Center, claims S2ML will provide a way to built standardized security services into e-commerce applications using XML, including those built with another XML spec called ebXML.
Other vendors say they expect the S2ML-style authentication and authorization to eventually replace the proprietary methods they use in their products today to capture and store authentication information, such as passwords and IDs.
"This is going to allow Web server and application servers to operate in a standard way to define authorization entitlements," said Jeremy Epstein, principal security architect at WebMethodsHowever, the backers behind S2ML admit they have not yet tested the nearly finalized specification in cross-vendor applications to determine its operational viability.
Previous industry efforts to create a common specification - including one called the Authorization APIs, which has been approved by the Open Group - have had a modicum of success but found limited adoption. But backers of S2ML claim that the ease of working with XML metatags will make it fairly easy to implement.
In online marketplaces, for example, the user authentication data could be inserted inside an XML document to travel with the user across the site, while the exchange would provide a way to gather up the XML-based security information and push it over to another part of the exchange, they argue.
"This way, a buyer could move from the buyside part of the exchange into the sellside without having to repeat the authentication again," Bartow suggested.
The vendors anticipate completing the specification within a month, submitting S2ML to the W3C and Oasis for review. Several vendors, though, said the W3C is not moving quickly enough on XML standards, and they foresee faster action over at Oasis.