XML Signature as a W3C Recommendation
World Wide Web Consortium Issues XML Signature as a W3C Recommendation
Joint Work With IETF Produces XML-Based Solution for Digital Signatures, Foundation for Secure Web Services
WWW: http://www.w3.org/. February 14, 2002.
The World Wide Web Consortium (W3C) has issued XML-Signature Syntax and Processing (XML Signature) as a W3C Recommendation, representing cross-industry agreement on an XML-based language for digital signatures. A W3C Recommendation indicates that a specification is stable, contributes to Web interoperability, and has been reviewed by the W3C Membership, who favor its widespread adoption.
"XML Signature is a critical foundation on top of which we will be able to built more secure Web services," explained Tim Berners-Lee, W3C Director. "By offering basic data integrity and authentication tools, XML Signature provides new power for applications that enable trusted transactions of all sorts."
Digital Signatures are Essential to Web Services
Digital signatures are created and verified using cryptography, the branch of applied mathematics concerned with transforming messages into seemingly unintelligible forms and then back again. Digital signatures are created by performing an operation on information such that others can confirm both the identity of the signer, and the fidelity of the information. This capability is important to a growing number of XML protocol, publishing and commerce applications.
XML Signature Combines Data Integrity with Extensibility
While there are technologies one can use to sign an XML file, XML Signature brings two additional benefits.
First, XML Signature can be implemented with and use many of the same toolkits one is using for XML applications. In this way, no additional software is required.
Second, XML Signature can process XML as XML instead of a single large document. This means multiple users may apply signatures to sections of XML, not simply the whole document.
As more commercial applications are used to send XML documents through a series of intermediaries, the ability to sign sections of a document without invalidating other portions is invaluable, whether for invoices, orders, or applications.
For example, one may independently sign an XML payload from the XML envelope that carries it for a short period. As a result, when you remove, add or change the protocol envelope the signature on the payload itself is still valid.
Similarly, XML Signature provides flexibility when a signed XML form is delivered to a user. If the signature were over the full XML form, any change by the user to the default form values would invalidate the original signature. XML Signature permits both the original form and user's entries to be independently signed without invalidating the other.
And of course, while XML Signature is tailored to XML processing, it can be used to sign any data, such as a PNG image.
XML Signature Supports XML Encryption and Key Management
XML Signature serves as the foundation for other ongoing W3C work including XML Encryption, which provides a mechanism to secure parts of XML documents, and XML Key Management, which provides a simple protocol for lightweight XML applications to obtain the key necessary for signature and encryption.
IETF/W3C Brings Together Industry Experts. Public Review
The XML Signature Working Group is the first joint W3C/IETF Working Group, and is the first W3C technical Working Group to operate entirely as a public group. This provided independent developers with a clear window on the XML Signature work in all stages of development, and brought a wide range of implementation experience. XML Signature already enjoys significant support and deployment, as highlighted in the testimonials.
Participants in the joint IETF/W3C Working Group included representatives from organizations whose lead research and commercial work in the area of digital signatures and security, including Accelio, Baltimore, Capslock, Citigroup, Corsec, Georgia State University, IAIK TU Graz, IBM, Microsoft, Motorola, Pure Edge, Reuters Health, Signio, Sun Microsystems, University of Siegen, University of Waterloo, VeriSign Inc., and XMLsec.
About the World Wide Web Consortium (W3C)
The W3C was created to lead the Web to its full potential by developing common protocols that promote its evolution and ensure its interoperability. It is an international industry consortium jointly run by the MIT Laboratory for Computer Science (MIT LCS) in the USA, the National Institute for Research in Computer Science and Control (INRIA) in France and Keio University in Japan. Services provided by the Consortium include: a repository of information about the World Wide Web for developers and users, and various prototype and sample applications to demonstrate use of new technology. To date, over 500 organizations are Members of the Consortium. For more information see http://www.w3.org/.
Contact
World Wide Web Consortium
North America
Janet Daly
Tel: +1.617.253.5884
Email: janet@w3.org
World Wide Web Consortium
Europe
Marie-Claire Forgue
Tel: +33.492.38.75.94
Email: mcf@w3.org
World Wide Web Consortium
Asia
Saeko Takeuchi
Tel: +81.466.49.1170
Email: saeko@w3.org
Prepared by Robin Cover for The XML Cover Pages archive. See "XML Digital Signature (Signed XML - IETF/W3C)."