RealTime IT News

VeriSign Intros WS-Security Implementation, Toolkit

Building on the WS-Security specification it crafted with IBM and Microsoft, VeriSign Tuesday introduced a royalty free open source WS-Security implementation and integration toolkit intended to aid developers in integrating digital signatures and encryption in Web services.

Mountain View, Calif.'s VeriSign said the implementation will be provided through its open source libraries, giving enterprises, software developers and system integrators the resources to build interoperable, trusted Web services that use the proposed WS-Security standard. VeriSign said its open source libraries can be deployed to provide protocol support for both client and server applications.

Meanwhile, the VeriSign Trust Service Integration Kit (TSIK), a Java-based developer toolkit for integrating security capabilities into Web services, includes security features for Web services like XML Signature, XML Encryption and XML Key Management Services. The TSIK consists of three basic components: the messaging framework, the trust layer and XML resources.

The messaging framework can be used to specify signing and encryption keys for assuring authentication, data integrity and confidentiality, and can be augmented with trust assertions to add authorization capabilities for access management.

The trust layer provides APIs for security XML messages using public key infrastructure (PKI), and includes implementations of the W3C XML Digital Signature and XML Encryption specifications. The API also includes a VeriSign-designed interface dubbed the "Trust Verifier," which gives developers the ability to enforce trust policies for applications using real-time XML Key Management Specification lookups.

Finally, the TSIK also includes low-level resources for directly manipulating XML, building data types, navigating through document structures, validating the format of schemas and interfacing with parsers.

VeriSign said its open source Java libraries will be available at Sourceforge.net later in December, though it noted those downloading the libraries with the intention of implementing them as part of a product offering may be subject to licensing terms set by IBM and Microsoft. The TSIK will be available for download here .

In related news, VeriSign also announced the general availability of its Consumer Authentication Service (CAS) Tuesday. CAS is a standard Web service for online identity verification and management, intended to provide automated, real-time, 24x7 access to multiple sources of consumer data and optimized scoring models to allow enterprises to authenticate buyers.

VeriSign said one of the first customers of the service is eBay.

"Verifying online identities makes a tremendous amount of sense for companies because it enables them to improve productivity and cost-efficiency through tried-and-true fraud management technologies," said Anil Pereira, executive vice president of enterprise services at VeriSign. "This is what Web services is all about -- providing solutions that automate complex business processes online so that companies can focus more attention on their core competencies."

CAS uses a predefined set of XML standards to connect to an enterprise's customer-facing Web application. The authentication data entered by the consumer is automatically routed using XML and encryption through VeriSign's services and checked against a number of data sources to cross-verify and risk-rank the consumer identity in real time. Verification of the identity is then automatically reported back to the application and the consumer using the underlying XML data. The entire transaction is secured with SSL encryption.