Seeking to put its stamp on procedures for digital signatures and
timestamping within XML Web services, the Organization for the Advancement of
Structures Information Standards (OASIS) Wednesday announced the
formation of the OASIS Digital Signature Services Technical Committee.
Another standards body, the World Wide Web
Consortium (W3C), has already done much to advance specifications that
deal with digital signatures and cryptographic timestamping services in Web
services, with the XML
Signature and XML Key
Management specifications, as well as closely related specifications
like XML Encryption and Exclusive XML
Canonicalization.
OASIS promised to build on that work, as well as on standards that it is
developing, including eXtensible Access
Control Markup Language (XACML), Security Assertion
Markup Language (SAML), and Web Services Security
(WS-Security).
“This new OASIS technical committee will build on the foundational work
that the W3C has accomplished in the area of digital signatures,” said Karl
Best, director of technical operations for OASIS. “Maintaining active
liaisons with other initiatives — both internal external to OASIS — will
ensure that the output of this committee will fit well within the ‘big
picture’ of security standards.”
Robert Zuccherato of Entrust, chair of the new technical committee, added,
“I really see our work as being complementary to that work. W3C has really
done a lot of work in defining signature format and key management, and
this is really building upon this work.”
Some of the member organizations which will serve on the Digital Signature
Services Technical Committee — which includes IONA, NIST, webMethods,
TIBCO, Verisign and Entrust — also serve on the W3C’s XML Signature
Working Group, according to OASIS’ Carol Geyer.
The new committee is intended to continue work on digital signatures and
timestamping within the Web services sphere, allowing the technology to
provide the integrity and accountability businesses demand for online
business transactions.
“”Where we see a big hole right now is in signature verification and
generation,” Zuccherato said. “For a lot of clients, that’s a very
difficult procedure. What this work will do is allow the clients to offload
a lot of that work to central servers [within the enterprise] and allow
those servers to do all the hard work.”
“Our work at OASIS will allow organizations to determine the parties
involved in a transaction and the specific moment in time when a
transaction occurred, with the assurance that the transaction has not been
altered since it was digitally signed,” Zuccherato added. “These are all
essential
attributes of important business transactions.”
Many firms investigating the use of Web services within their organizations
have cited the need for security and logging/auditing support before they
are willing to deploy Web services. A recently
released survey jointly developed by the Software & Information
Industry Association (SIIA) and Systinet showed that about 95 percent of
the 790 respondents cited security as a requirement and just over 90
percent cited logging/auditing.
“I would say that we’re getting close to one of the final pieces of the
puzzle,” Zuccherato said. “A lot of the building blocks are there now, I
think.”