VeriSign Intros WS-Security Implementation, Toolkit

Building on the WS-Security specification it crafted with IBM and
Microsoft, VeriSign Tuesday introduced a royalty free
open source WS-Security implementation and integration toolkit intended to
aid developers in integrating digital signatures and encryption in Web
services.


Mountain View, Calif.’s VeriSign said the implementation will be provided through its open source
libraries, giving enterprises, software developers and system integrators
the resources to build interoperable, trusted Web services that use the
proposed WS-Security standard. VeriSign said its open source libraries can
be deployed to provide protocol support for both client and server
applications.


Meanwhile, the VeriSign Trust Service Integration Kit (TSIK), a Java-based
developer toolkit for integrating security capabilities into Web services,
includes security features for Web services like XML Signature, XML
Encryption and XML Key Management Services. The TSIK consists of three
basic components: the messaging framework, the trust layer and XML
resources.


The messaging framework can be used to specify signing and encryption keys
for assuring authentication, data integrity and confidentiality, and can be
augmented with trust assertions to add authorization capabilities for
access management.


The trust layer provides APIs for security XML messages using public key
infrastructure (PKI), and includes implementations of the W3C XML Digital
Signature and XML Encryption specifications. The API also includes a
VeriSign-designed interface dubbed the “Trust Verifier,” which gives
developers the ability to enforce trust policies for applications using
real-time XML Key Management Specification lookups.

Finally, the TSIK also includes low-level resources for directly
manipulating XML, building data types, navigating through document
structures, validating the format of schemas and interfacing with parsers.


VeriSign said its open source Java libraries will be available at Sourceforge.net later in December,
though it noted those downloading the libraries with the intention of
implementing them as part of a product offering may be subject to licensing
terms set by IBM and Microsoft. The TSIK will be available for download here
.


In related news, VeriSign also announced the general availability of its
Consumer Authentication Service (CAS) Tuesday. CAS is a standard Web
service for online identity verification and management, intended to
provide automated, real-time, 24×7 access to multiple sources of consumer
data and optimized scoring models to allow enterprises to authenticate
buyers.


VeriSign said one of the first customers of the service is eBay.


“Verifying online identities makes a tremendous amount of sense for
companies because it enables them to improve productivity and
cost-efficiency through tried-and-true fraud management technologies,” said
Anil Pereira, executive vice president of enterprise services at VeriSign.
“This is what Web services is all about — providing solutions that
automate complex business processes online so that companies can focus more
attention on their core competencies.”

CAS uses a predefined set of XML standards to connect to an enterprise’s
customer-facing Web application. The authentication data entered by the
consumer is automatically routed using XML and encryption through
VeriSign’s services and checked against a number of data sources to
cross-verify and risk-rank the consumer identity in real time. Verification
of the identity is then automatically reported back to the application and
the consumer using the underlying XML data. The entire transaction is
secured with SSL encryption.

News Around the Web