World Wide Web Consortium Issues XML Signature as a W3C Recommendation

Joint work with IETF produces XML-based solution for digital signatures, foundation for Secure Web services

The World Wide Web Consortium (W3C) has issued XML-Signature Syntax and Processing (XML Signature) as a W3C Recommendation, representing cross-industry agreement on an XML-based language for digital signatures. A W3C Recommendation indicates that a specification is stable, contributes to Web interoperability, and has been reviewed by the W3C Membership, who favor its widespread
adoption.

“XML Signature is a critical foundation on top of which we will be able to built more secure Web services,” explained Tim Berners-Lee, W3C Director. “By offering basic data integrity and authentication tools, XML Signature provides new power for applications that enable trusted transactions of all sorts.”

Digital Signatures are Essential to Web Services

Digital signatures are created and verified using cryptography, the branch of applied mathematics concerned with transforming messages into seemingly unintelligible forms and then back again. Digital signatures are created by performing an operation on information such that others can confirm both the identity of the signer, and the fidelity of the information. This capability is important to a growing number of XML protocol, publishing and commerce applications.

XML Signature Combines Data Integrity with Extensibility

While there are technologies one can use to sign an XML file, XML Signature brings two additional benefits.

First, XML Signature can be implemented with and use many of the same toolkits one is using for XML applications.

Second, XML Signature can process XML as XML instead of a single large document. This means multiple users may apply signatures to sections of XML, not simply the whole document.

As more commercial applications are used to send XML documents through a series of intermediaries, the ability to sign sections of a document without invalidating other portions is invaluable, whether for invoices, orders, or applications.

One may independently sign an XML payload from the XML envelope that carries it for a short period. As a result, when you remove, add or change the protocol envelope the signature on the payload itself is still valid.

Similarly, XML Signature provides flexibility when a signed XML form is delivered to a user. If the signature were over the full XML form, any change by the user to the default form values would invalidate the original signature. XML Signature permits both the original form and user`s entries to be independently signed without invalidating the other.

And of course, while XML Signature is tailored to XML processing, it can be used to sign any data, such as a PNG image.

XML Signature Supports XML Encryption and Key Management

XML Signature serves as the foundation for other ongoing W3C work including XML Encryption, which provides a mechanism to secure parts of XML documents, and XML Key Management, which provides a simple protocol for lightweight XML applications to obtain the key necessary for signature and encryption.

IETF/W3C Brings Together Industry Experts; Public Review

The XML Signature Working Group is the first joint W3C/IETF Working Group, and is the first W3C technical Working Group to operate entirely as a public group. This provided independent developers with a clear window on the XML Signature work in all stages of development, and brought a wide range of implementation experience. XML Signature already enjoys significant support and deployment, as highlighted in the testimonials.

Participants in the joint IETF/W3C Working Group included representatives from organizations whose lead research and commercial work in the area of digital signatures and security, including Accelio, Baltimore, Capslock, Citigroup, Corsec, Georgia State University, IAIK TU Graz, IBM, Microsoft, Motorola, Pure Edge, Reuters Health, Signio, Sun Microsystems, University of Siegen, University of Waterloo, VeriSign Inc., and XMLsec.