10 October 2002 New web services security proposals recently released by the Worldwide Web Consortium (W3C), the Internet standards body, have been hailed as an important step forward by industry analysts Gartner.

The W3C last week outlined its proposed specifications for the encryption of XML data and documents – building blocks for the development of future security standards. The proposed standards mandate the use of XML Encryption Syntax and Processing (XML-Enc) and Decryption Transform for XML Signature (XML-DSig).

“The proposed standards represent an important step towards the ability to perform complex XML-based transactions securely,” said Gartner analysts Ray Wagner and John Pescatore in a new research note.

“XML-DSig and XML-Enc make it possible to sign and encrypt elements of XML messages at a higher granular level, a key element in developing an environment in which integrated applications implement workflows across multiple enterprises via secure web services,” they said. But they also warned that “serious challenges” to web services security remain.

“The W3C’s proposed standards assume that keys or digital certificates, and the infrastructure to manage them, already exist. The failure of public key infrastructure to achieve significant market penetration means that enterprises typically lack the necessary capabilities to make effective use of web service platforms that apply the new standards.”

The analysts advised businesses to invest in public key infrastructure (PKI) encryption software as a necessary first step to implementing secure web services, as embodied in the XML-DSig and XML-Enc standards from the W3C.

Sales of PKI software have so far been disappointing, with users put off by the cost and complexity of implementing and running such systems. Vendors of PKI software, such as Baltimore Technologies and RSA Security, will no doubt be hoping that web services will serve as the catalyst for a PKI sales boom.