XML security fix in the works

One of the inconveniences of using the Internet for conducting government business is remembering all of the user names and passwords needed to visit different, but related, Web sites. This repeated grilling highlights the incompatibilities common between the security systems that protect most federal Web sites — but a solution to the problem may be just around the corner.

Last month, a group of computer vendors began working on a new data standard for exchanging security information that would bridge disparate security systems and provide a seamless, secure environment for online business and services.

The specification, still to be named officially, is yet another important piece of computer plumbing that will use Extensible Markup Language, or XML, to streamline and lower the cost of building computer-to-computer connections. Among other advantages, it will allow users to enter one Web site, then access cooperating sites without having to log on again.

"It's not that this kind of single sign-on technology can't be done now, but a lot of it is custom-coded, and a lot of it is proprietary," said Eve Maler, an XML standards architect at Sun Microsystems Inc. and chairwoman of the committee developing the specification. "This will give customers a lot more freedom and choice when building systems — those typical benefits of standardization."

Some 20 vendors are working on the specification, including Baltimore Technologies plc, Cisco Systems Inc., Hewlett-Packard Co., IBM Corp., Netegrity Inc., Securant Technologies Inc., SilverStream Software Inc. and Sun Microsystems. The committee meets under the auspices of the nonprofit Organization for the Advancement of Structured Information Standards (OASIS), based in Billerica, Mass. The plan is to have a final version of the specification available for OASIS review by Sept. 1, but Maler expects some vendors will offer products using the specification in a couple of months.

The specification will allow systems to securely exchange authentication, authorization and profile information. It will not require the development of new technology. Instead, it defines a common language for describing the information generated by security systems in XML (see box). In addition to enabling single sign-on, the specification can be used to share security information within online trade exchanges or by a trusted third-party security service provider to dole out authorizations to other Web sites. Once the authorization and profile information are described in XML, the entire package of data can be encrypted, just like any other type of data, for delivery via the Internet. But XML is more than just a way to describe data. It also provides a logical organizational scheme that allows software programmers to make data exchanges more efficient.

"Because XML has an inherent tree structure and outline structure inside of it, it presents opportunities to do things like attach a digital signature to just a part of [a transaction] or to encrypt just part of it," Maler said. In fact, complementary work is under way at the World Wide Web Consortium, an Internet standards organization, to develop XML-based digital signatures and encryption methods.

At this point, the specification is still not on most federal agencies' radar screens, but some government IT managers can easily envision its benefits.

Mark Kaprow, an Internet project manager with the office of the chief information officer at the General Services Administration, noted that GSA operates numerous password-protected Web sites, including its main site, the GSA Advantage shopping site and FedBizOpps.gov, where agencies can solicit vendor bids.

"Conceivably, down the road, it'd be nice if somebody signed into one site, then went to another [and did] not have to sign in again," Kaprow said.

The starting point for the OASIS committee's work is a specification called Security Services Markup Language (S2ML), whose chief backer was Netegrity. Late last year, Netegrity competitor Securant Technologies proposed a similar XML-based security specification called AuthXML. However, both vendors, along with their respective backers, agreed to collaborate through OASIS to develop a unified specification.

XML is becoming extremely popular as a way to standardize functional tasks, such as security services, and to facilitate industry-specific transactions, such as financial information.

"The interest in XML is in my view almost unparalleled," said Mark Skall, chief of the software diagnostics and conformance testing division at the National Institute of Standards and Technology. "Right now we believe XML is a key enabling technology for electronic commerce."

NIST typically is not involved with developing or endorsing such adaptations — or what are sometimes called "business overlays" — of XML standards. But it does play a crucial supporting role. It provides a free software-based XML test suite that software developers and end users can employ to ensure that the XML processor used in a product follows the rules of the language. The test suite is available at www.oasis-open.org.