Web security standards no easy task

With each of transition in computing came a need to rewrite underlying security protocols

Computing technology has moved in waves, starting with mainframes, moving to PCs and client/server models and then to the Web. With each of these transitions came a need to rewrite underlying security protocols so they can operate in new

environments.

With Extensible Markup Language serving as the foundation for the next wave — collectively referred to as Web services — there comes the requirement to add security functions to the markup language. Because this new

computing paradigm focuses on the

complex interplay of hardware, software and networking, a number of standards groups are involved in the process, including the Internet Engineering Task Force (IETF), the World Wide Web Consortium (W3C) and the Organization for the Advancement of Structured Information

Standards (OASIS).

These groups have devised more than a dozen security protocols that will play

a role in delivering Web services. Here

are brief descriptions of the specifications, the roles they will play in electronic

transactions and the groups responsible for them.

From OASIS:

* Security Assertion Markup Language helps users and computers authenticate and authorize information exchanges.

* Extensible Access Control Markup Language is a specification for expressing policies for information access.

* Service Provisioning Markup Language defines how to exchange user, resource and service provisioning information.

* Web Services Security adds XML security protocols to Simple Object Access Protocol.

* Extensible Rights Markup Language manages copyrights for digital content.

* XML Common Biometric Format

defines an XML version of the Common Biometric Exchange File Format.

From W3C:

* XML Digital Signature provides integrity, signature assurance and nonrepudiation of various transactions.

* XML Encryption encrypts and decrypts digital content.

* XML Key Management Specification

provides a method for obtaining cryptographic keys.

From IETF:

* Transport Layer Security builds on

Secure Sockets Layer to secure Internet traffic between two points.

* Simple Authentication and Security Layer adds authentication to connection-based protocols.

* Kerberos provides tickets for authenticating users.

* Blocks Extensible Exchange Protocol helps establish quality of service over the Internet.

NEXT STORY: About T-bills and the F fund