OASIS drafts standard for Web services security
- By Jason Miller
- Nov 21, 2003
The Organization for the Advancement of Structured Information Standards of Billerica, Mass., has finished a draft security standard for Web services connecting disparate systems.
Hal Lockhart, principal security engineer at BEA Systems Inc. of San Jose, Calif., said the OASIS membership could vote next month on the draft, which was released in October for public comment.
Lockhart spoke yesterday at the Enterprise Architecture Boot Camp sponsored by the Interoperability Clearinghouse of Alexandria, Va.
The standard covers functions as well as technologies. The functions include digital signatures, authentication and encryption. The underlying technologies include user names, passwords, X.509 tokens for public-key infrastructures and Simple Object Access Protocol Message Security.
Lockhart said three or four other technologies are under consideration for Web services security, including the Security Assertion Markup Language (SAML) and the Kerberos network authentication protocol.
SAML defines a syntax for assertions, such as a user's job title or security clearance.
Kerberos provides strong authentication for client-server applications via secret-key cryptography.
'We are well on track to have a standard,' Lockhart said.(Link to the documents)