|
Standards:
Your Best Friend in the New Millennium Your
day has started, you sit down to use a new piece of software, and you find that
it doesn’t function as it should. The problem may be in the product itself, or
in the way it communicates with other software and hardware products. As a
customer, or as a reseller, you want to be able to expect that the functionality
of a new product is as advertised. When everything works beautifully, you can
thank the industry standards that were developed, and the experts who
contributed to their development. It is
the explicit task of standards to ensure that materials, products, processes and
services are fit for their purpose. Standards are documented agreements
containing technical specifications or other precise criteria to be used
consistently as rules, guidelines, or definitions of characteristics. What
is a standards body? A
standards body is a group of experts in a given field that makes decisions about
how growing technologies can tailor their new products to meet: a)
standards of excellence held by a particular industry; b)
standards of development that help ensure interoperability with other products. The
implicit task of standards bodies, is to identify and resolve—early
on—certain interoperability issues that have the potential to thwart any area
of e-commerce. Within
each standards body are technical committees and task forces. It is their job to
ensure that requirements of functionality and interoperability are met for their
particular industry. The members of these committees are keenly aware that the
future of individual products, as well as entire industries, can well depend on
how well they do their job. Standards bodies are independent organizations, but
they can include any number of experts from the academy, government, or private
firms in business or technology. One
widely recognized standards body is the World Wide Web Consortium (W3C), which
has long developed interoperable technologies (specifications, guidelines,
software, and tools) to lead the Web to its full potential as a forum for
information, commerce, communication, and collective understanding. For more
information, visit www.w3c.org. Complexity
and Interoperability One of
the most complex issues facing new e-commerce solutions is interoperability. In
the old days, it was a major achievement to make sure that your PC and your
printer were talking to each other. These
days, software developers must ascertain early in the development process
whether their products will work well with other products on the market, and if
not, they must specify to the consumer exactly which versions of other products
are needed in order for the product to work. Once a
product is on the market, vendors may find that products once intended to work
together do not, in fact. This may be due to myriad reasons, including the
product’s high level of complexity, the rapid pace of deployment of new
products or new versions. Standards,
Interoperability and PKI One
example of a standard essential for secure e-commerce, is the Advanced
Encryption Standard (AES), which is expected to be approved in April by the
National Institute of Standards and Technology (NIST). The NIST is an agency of
the U.S. Department of Commerce’s Technology Administration that works with
industry to develop and apply technology, measurements, and standards (see GS
issue 01:01:02). Approval of the AES, which is widely used in government, as
well as in financial services, will come from this governmental agency, which
culled the best and the brightest experts worldwide, to develop the standard. The AES
is only one part of a Public Key Infrastructure (PKI), which has many parts, all
of which must function well together. And PKI systems, highly complex in and of
themselves, must be interoperable with other e-commerce applications. It is the
job of various standards bodies to review the technology behind each part of PKI
systems as it is developed, to ensure that each part will work well within the
PKI, as well as with other e-commerce applications. Establishing
a Single Standard for E-Commerce Security Another
standards body hard at work for e-commerce is the Organization for the
Advancement of Structured Information Standards (OASIS). OASIS is a global
interoperability consortium, which serves as the home for industry groups and
organizations interested in developing eXtensible Markup Language (XML)
specifications. The mission of OASIS is, in part, to identify and resolve
interoperability issues. According
to Jon Bosak, of Sun Microsystems, XML is a programming language that was
produced by a group of markup language experts and endorsed by the W3C, to
enable the exchange of structured data on the Internet. It is designed to be
easy to implement, so that independent vendors can provide XML support via
homegrown applications or as plug-ins or downloadable applets into existing HTML
browsers. In
January, organizations supporting divergent security standards united in an
effort to develop a common XML specification through the OASIS Security Services
Technical Committee. OASIS hosted the first meeting of its new technical
committee, which will define an XML framework for exchanging authentication and
authorization information. The task
of the new committee is, in part, to shape the future of the Security Services
Markup Language (S2ML), the first industry standard for enabling secure
e-commerce transactions through XML. S2ML was developed to provide a common
language for the sharing of security services between companies engaged in B2B
and B2C business transactions. S2ML
allows companies to securely exchange authentication, authorization, and profile
information between their customers, partners, or suppliers regardless of the
security systems or e-commerce platforms that they have in place today. As a
result, S2ML promotes interoperability between disparate security systems,
providing a framework for secure e-business transactions across company
boundaries. The S2ML
specification does not define any new technology or approaches for
authentication or authorization. Rather, it simply defines a common language for
describing the information or outputs generated by these systems in XML. Toward
a Secure Internet “The
goal of S2ML is to create an open industry standard that will enable secure
inter-site e-business transactions,” said Barry Bycoff, chairman and CEO of
Netegrity. “We are pleased to see such widespread support for this initiative
from both the vendor and end user communities. We’re looking forward to
working with all interested companies as part of OASIS to provide an industry
wide standard for secure e-commerce.” “Currently,
it is difficult to ensure the absolute security of Internet transactions across
companies. Businesses need a universal method to assure only users with proper
authorization, access and execute transactions,” explained Karl Best, director
of technical operations at OASIS. “OASIS has taken on this development effort
to produce a standard, open framework that will enable secure interoperability
across company boundaries and heterogeneous platforms.” Christian
Byrnes, vice president of security strategy at META Group, said, “Almost all
e-commerce involves multiple business partners at some level. The lack of
security standards has resulted in difficult, complex, and insecure
implementations. A successful standard for integrating security across business
partners will make e-commerce faster and less expensive to deploy and more
secure at the same time.” Record
Numbers of Companies Join Forces The
axiom that, “Necessity is the mother of invention,” still holds in high
technology. It often happens that technical wizards within numerous companies
will reach a new level of expertise simultaneously, and thus, compete for their
particular product to become the industry standard. In this
case, though Netegrity first initiated the drive for the best security solution
with S2ML, and with the support of more than 200 companies, Securant
Technologies also proposed its AuthXML program, with the support of 70
companies. Some of these companies support both. Thus, the new technical
committee within OASIS, originally formed to complete the S2ML security
standard, accepted submissions of other relevant technologies, including AuthXML. “Our
goal is to work together to advance a common security standard,” said Eve
Maler of Sun Microsystems, chair of the OASIS Security Services Technical
Committee. “Everyone agrees that consensus is critical. Through its open
technical process, OASIS provides the safe environment necessary for real
collaboration.” “The
result of our work at OASIS will be a single security services standard that
will be widely accepted in the industry,” predicted Marc Chanliau of Netegrity.
“We brought S2ML to OASIS with that objective in mind, and we’re confident
that the technical committee has the critical mass to achieve our goal.” “Supporters
of AuthXML welcome the opportunity to work within OASIS for the good of true
interoperability and the XML community at large,” commented Eric Olden of
Securant Technologies. “By channeling the momentum of AuthXML into the
committee, we look forward to advancing the development of a common, unified
standard.” The
OASIS Security Services Technical Committee includes representatives from
Baltimore Technologies, Cisco, Commerce One, DataChannel, Entegrity, Entrust,
Hewlett-Packard, IBM, Jamcracker, Netegrity, Oblix, OpenNetwork, Securant,
SilverStream, Sun Microsytems, Tivoli, VeriSign, Vordel and WebMethods.
Membership is expected to increase in the coming months. “Interest
in advancing this work is extremely high,” said Karl Best, director of
technical operations for OASIS. He added that record numbers of companies and
individuals have joined the consortium specifically to participate in developing
a common security standard. The
technical committee plans to publish draft specifications by June 2001, and
submit a formal specification to the OASIS membership by September 2001. Norbert
Mikula of DataChannel, member of the OASIS Board of Directors and chair of its
technical advisory committee, characterized the development schedule as, “very
aggressive.” He advised, “Any organization affected by the issue of security
should get involved now.” OASIS is
an international, not-for-profit consortium that advances electronic business by
promoting open, collaborative development of interoperability specifications.
OASIS operates XML.ORG, the non-commercial portal that delivers information on
the use of XML in industry. For more information, visit www.oasis-open.org. Netegrity
is a global e-business infrastructure company that provides solutions for
securely managing and personalizing business-to-business, business-to-consumer,
and Intranet portals. For more information, visit www.netegrity.com. Securant
Technologies, the access management company that secures e-Business, is a
leading developer of Internet software that provides a secure infrastructure for
controlling user access to Web-based resources including applications, content
and transactions. For more information, visit www.securant.com. |
|
© Copyright 2001 · The Green Sheet, Inc. |
