VeriSign Opens its Trust Gateway

SAN FRANCISCO — Digital security company VeriSign Monday launched its new Trust Gateway platform to help with the need to rollout secure Web services .

The Mountain View, Calif.-based firm best known for its domain registrar business said the framework simplifies application security by eliminating the need for developers to write security code into each and every application.

Instead, the VeriSign Trust Gateway performs XML security operations on behalf of the applications, based on policies set by enterprise administrators. The idea, says VeriSign is to provide a central system for managing complex operations across multiple platforms.

“Until recently, the deployment of Web services security had been a developer’s task, in which separate security mechanisms had to be written into each application one-at-a-time,” VeriSign executive vice president and general manager Judy Lin. “The VeriSign Trust Gateway makes it possible to offload this time-consuming, costly and inefficient task to a dedicated solution, greatly simplifying security policy, deployment and management operations.”

The Trust Gateway framework includes two components: an on-premise software module that enables control of application security through configuration rather than coding, and a service component for simplifying digital certificate provisioning, message signing and encryption.

An early access version of the VeriSign Trust Gateway is available for evaluation. The platform is expected to be generally available by June 2003. VeriSign said pricing is subscription based and depends upon the complexity and extent of the implementation.

The platform is based upon the Web Services Security (WS-S) specification, which it co-developed with Microsoft and IBM . WS-Security defines a set of SOAP extensions which can be used to implement integrity and confidentiality in Web services applications, laying the groundwork for higher-level facilities like federation, policy and trust.

Through a browser-based console, VeriSign said administrators will be able to consolidate their view of their enterprise application security posture at any given moment in time.

In a related announcement, VeriSign launched its Enterprise Partner Program, an interoperability testing and co-marketing program to help integrated hardware and software vendors (ISVs and IHVs), systems integrators (SIs) and value added resellers (VARS) stay on the same page.

IBM, Aladdin, Chrysalis-ITS, Confluent, Evincible & nCipher are among the first partners to validate products based on the Trust Gateway platform.

“The program is designed to help our partners drive down integration costs for their customers, creating many new business, sales and marketing opportunities along the way,” VeriSign security division senior vice president Ben Golub said in a statement.

Products being tested must successfully pass all mandatory test categories specified for their product category. The scope of the product test is determined based on the claimed functionality of the product. The certification results are submitted to VeriSign, which then get a seal of interoperability

VeriSign says partners must be enrolled as a VeriSign Enterprise Technology Partner to be permitted to qualify for the interoperability certification program.

The Trust Gateway launch is just one of several announcements impacting Web services security at the RSA Security conference here this week.

The Liberty Alliance Friday submitted the first phase of its Identity Federation Framework (ID-FF) for use in future version of the SAML authentication language.

The Information Security Systems Association (ISSA) is also expected to announce it will take over the Generally Accepted Information Security Principles (GAISP) specification. The former Generally Accepted System Security Principles (GASSP) standard was authored in response to a 1990 U.S. National Research Council report, “Computers at Risk.”

News Around the Web