S2ML: a security standard for e-business

S2ML: a security standard for e-business

As e-business expands from companies focusing on their own products and services and dealing with consumers to more business-to-business dealings, the need for increased security becomes apparent. Most security models are designed for a single enterprise, which makes it difficult for collaborating companies to ensure transactions are secure across companies.

A new open security standard called Security Services Markup Language (S2ML) is being developed to address this interoperability problem. A group of leading technology companies, including Oracle?, Netegrity?, Verisign?, Sun? Microsystems, and PricewaterhouseCoopers have worked on S2ML. Their aim was to create the first standard for enabling secure e-commerce transactions using extensible markup language (XML).

XML

S2ML consists of two XML schemas, name assertion and entitlement, as well as an XML-based request/response protocol for authentication and authorization.

Name assertions
In the S2ML model, when a customer, partner, or supplier is authenticated, a name assertion is created. Such assertions describe the type of authentication, who the authenticator is, and who is being authenticated.

Entitlements
Information on authentication, authorization, and profile is carried in collections of data called entitlements. An issuing authority inserts these entitlements.

Benefits

The proposed standard has various features to facilitate the smooth flow of business across web sites.

Interoperability
When service providers and companies of any size use S2ML for e-businesses, they can exchange authentication and authorization information securely even when partners have different security platforms.

Open solution
A number of XML document exchange protocols and frameworks can be used with S2ML, including SOAP, OAG, MIME, Biztalk, and ebXML.

Single sign-on
Partnered companies using S2ML enable their users to travel across sites keeping their entitlements, without having to sign-on at every stop.

B2B and B2C environments

The S2ML standard offers features for business-to-business (B2B) as well as business-to-consumer (B2C) transactions.

For B2B, with its business transactions across multiple web sites, there's the "portability" of security in XML documents. Basically, S2ML provides standard security tags for XML documents, which can be based on any agreed upon vocabulary for secure B2B transactions.

Users of B2C sites often want to quickly jump to related sites and information without having to log on each time. S2ML's method of allowing users' security information to "travel" with them across multiple sites fills the need for single sign-on and access control.

While it isn't a new authentication or authorization solution, S2ML will give companies a new common language for describing security information and sharing it with multiple business partners. With the continuing growth of e-business and the increasing frequency of online collaborations, the creation of such a security standard is vital. The S2ML specification must now go to the World Wide Web Consortium (W3C?) and the Organization for the Advancement of Structured Information Standards (OASIS) for consideration.

For more information on the proposed standard, go to the S2ML site.