The SSJC is chartered by OASIS to provide a forum to pull together security standards developed and proposed under OASIS. Under the democratic processes of OASIS, we are trying to pull together consistency across the security-related standards being worked on right now. We are trying to head off at the pass confusion and questions and how all the standards fit together. It's also a forum for the chairs of SAML (Security Assertion Markup Language), XACML (Extensible Access Control Markup Language), the Provisioning Services Technical Committee, the Common Biometric Format Technical Committee and the new rights language technical committee.
What we saw happening was a need to pull together a degree of consistency and provide a common point for people to come to us with questions about how all the standards fit together and how they fit for them. It will be a forum for common terms and a glossary of standards. You continue to use the word consistency. Is it possible that these technical committees are operating as their own island?
The technical committees potentially are on their own island. You see some of the same group of people who are members of the (vendor-led) WSI (Web Services Initiative) and (standards-based) W3C (World Wide Web Consortium) and OASIS. It may surprise you to note that yes, individual committees can and do have different terms within different specifications. There is a potential for overlap and confusion. There is also the potential they will run off and do their own thing. It's important to note that the SSJC does not control other contributing technical committees. It's very advisory. The chair of SAML, etc. are attending and contributing members of the SSJC. Will this committee eliminate potential bureaucracy that might hinder the evolution of Web services?
We don't have any authority over the other technical committees. Our purpose is to provide a type of academic abstract that could be useful across the board so that the technical committees understand how we are talking about things. How important is it to include all of OASIS' specification committees?
Taking a look at some of the committees: The Provisioning Standards TC defines standards for Web services provisioning and how one standardizes identity management and defines XML-based standards for integrating with identity management systems. We are trying to standardize self-service and subscription management to Web services and integrate it as part of a Web services infrastructure. It's a key part of how you provision identities across Web services; SAML focuses on the exchange of security information. It only comes to reason that we integrate across the technical committees so that there are consistencies. Has the committee met?
Our first meeting is June 13 when we will ratify our charter. Do you have a vision for what this committee might accomplish six months or a year down the road?
Depends on the charter. Until our first official meeting, we can't actually decide anything. But we are in agreement that down the line we'd like to see a common glossary. As an architectural person, I'd like to see standards as an abstract block diagram that every piece of technology has, kind of like a stack-based approach. I see us having these architectural diagrams, a common glossary. I see us having lots of things that help the technical committees complete their work. And recognize how to understand specifications and efforts that have come before. I hope we are able to foster a great deal of cooperation between the W3C, WSS and WSI. Hindsight being 20-20, doesn't it stand to reason that this type of body should have preceded the technical committees?
It's something we could not have envisioned at that time. It's a timing thing, really. At one time, the Security Services Technical Committee (SSTC) was the only security-related activity under OASIS. The problem is that there are so many XML standards, to standardize the market, you have to determine how does one overlap with industry-led efforts versus standards-led efforts. The vendors market has the incentive to move faster. There's a lifecycle for standards. The technical committees have to come together before we could pull together the SSJC.
Dig Deeper on Web Application Security