Microsoft, others offer XML-based encryption scheme
MICROSOFT, VERISIGN, AND webMethods on Wednesday introduced a security specification that works to simplify the integration of PKI (public key infrastructure) and digital certificates with XML applications.
The three companies have released the specification, dubbed XKMS (XML Key Management Specification), and will submit it to the appropriate Web standards bodies for consideration as an open Internet standard, the companies said in a statement.
Without XKMS, applications are required to understand the guts of the PKI architecture, which works fine if the applications are PKI-aware, according to John Pescatore, research director for Internet security at Gartner Group in Stamford, Conn. But for applications that are not PKI-aware, such as a variety of forms applications, databases, and transaction processing, XML is a way to avoid having to work with PKI.
"Most applications now are moving to use XML anyway, and with XKMS they won't have to understand PKI," Pescatore added.
Pescatore maintains that XKMS won't chase away PKI-related standards such as PKIX, the combination of PKI and X.509 certificate standards, anytime soon, though.
"XKMS will still be an alternative to PKIX because with XML, users have to agree on schemas, and different trading communities will use different schemas," he said.
Unlike PKI, XKMS is designed to let developers integrate authentication, digital signature, and encryption services -- such as certificate processing and revocation status-checking -- in Web-based applications. This will allow developers to avoid using proprietary software toolkits from PKI software vendors, according to the companies.
The specification works with trust functions residing on servers, accessible via programmed XML transactions. XKMS is compatible with standards for WSDL (Web Services Description Language) and SOAP (Simple Object Access Protocol).
Basing the specification on XML and SOAP inserts security at the language level.
"At the level of XML, you have to have all of the things associated with security processing," said Frank Prince, a senior analyst at Forrester Research in Cambridge, Mass. "A key management system should be built at that level."
Redmond Wash.-based Microsoft, for its part, said that it will build XKMS into the Microsoft.NET architecture for both business-to-business and business-to-consumer environments.
Forrester's Prince said that the specification is only part of an overall solution, the parts of which need to be secure in order for the whole to be secure.
"There are a lot of other things that have to happen at a lot of different levels to ensure secure transactions," he continued.
Analysts said that XKMS probably won't garner much attention from standards bodies until the fourth quarter of next year.
The specification for XKMS and a white paper can be viewed at www.verisign.com/developer/xml/.