RealTime IT News

OASIS Tackles Signatures, Timestamping

Seeking to put its stamp on procedures for digital signatures and timestamping within XML Web services, the Organization for the Advancement of Structures Information Standards (OASIS) Wednesday announced the formation of the OASIS Digital Signature Services Technical Committee.

Another standards body, the World Wide Web Consortium (W3C), has already done much to advance specifications that deal with digital signatures and cryptographic timestamping services in Web services, with the XML Signature and XML Key Management specifications, as well as closely related specifications like XML Encryption and Exclusive XML Canonicalization.

OASIS promised to build on that work, as well as on standards that it is developing, including eXtensible Access Control Markup Language (XACML), Security Assertion Markup Language (SAML), and Web Services Security (WS-Security).

"This new OASIS technical committee will build on the foundational work that the W3C has accomplished in the area of digital signatures," said Karl Best, director of technical operations for OASIS. "Maintaining active liaisons with other initiatives -- both internal external to OASIS -- will ensure that the output of this committee will fit well within the 'big picture' of security standards."

Robert Zuccherato of Entrust, chair of the new technical committee, added, "I really see our work as being complementary to that work. W3C has really done a lot of work in defining signature format and key management, and this is really building upon this work."

Some of the member organizations which will serve on the Digital Signature Services Technical Committee -- which includes IONA, NIST, webMethods, TIBCO, Verisign and Entrust -- also serve on the W3C's XML Signature Working Group, according to OASIS' Carol Geyer.

The new committee is intended to continue work on digital signatures and timestamping within the Web services sphere, allowing the technology to provide the integrity and accountability businesses demand for online business transactions.

""Where we see a big hole right now is in signature verification and generation," Zuccherato said. "For a lot of clients, that's a very difficult procedure. What this work will do is allow the clients to offload a lot of that work to central servers [within the enterprise] and allow those servers to do all the hard work."

"Our work at OASIS will allow organizations to determine the parties involved in a transaction and the specific moment in time when a transaction occurred, with the assurance that the transaction has not been altered since it was digitally signed," Zuccherato added. "These are all essential attributes of important business transactions."

Many firms investigating the use of Web services within their organizations have cited the need for security and logging/auditing support before they are willing to deploy Web services. A recently released survey jointly developed by the Software & Information Industry Association (SIIA) and Systinet showed that about 95 percent of the 790 respondents cited security as a requirement and just over 90 percent cited logging/auditing.

"I would say that we're getting close to one of the final pieces of the puzzle," Zuccherato said. "A lot of the building blocks are there now, I think."