The IETF/W3C XML Signature Working Group has produced a 'final' specification for XML Signature, and has issued XML-Signature Syntax and Processing as a W3C Recommendation. XML digital signatures "provide integrity, message authentication, and signer authentication services." The accompanying Interoperability Report identifies at least ten (10) implementations, with at least two interoperable implementations over every feature. The Recommendation "specifies XML syntax and processing rules for creating and representing digital signatures. XML Signatures can be applied to any digital content (data object), including XML. An XML Signature may be applied to the content of one or more resources. Enveloped or enveloping signatures are over data within the same XML document as the signature; detached signatures are over data external to the signature element. More specifically, this specification defines an XML signature element type and an XML signature application; conformance requirements for each are specified by way of schema definitions and prose respectively. This specification also includes other useful types that identify methods for referencing collections of resources, algorithms, and keying and management information."
From the announcement:
Digital signatures are created and verified using cryptography, the branch of applied mathematics concerned with transforming messages into seemingly unintelligible forms and then back again. Digital signatures are created by performing an operation on information such that others can confirm both the identity of the signer, and the fidelity of the information. This capability is important to a growing number of XML protocol, publishing and commerce applications.
While there are technologies one can use to sign an XML file, XML Signature brings two additional benefits. First, XML Signature can be implemented with and use many of the same toolkits one is using for XML applications. In this way, no additional software is required. Second, XML Signature can process XML as XML instead of a single large document. This means multiple users may apply signatures to sections of XML, not simply the whole document. As more commercial applications are used to send XML documents through a series of intermediaries, the ability to sign sections of a document without invalidating other portions is invaluable, whether for invoices, orders, or applications. For example, one may independently sign an XML payload from the XML envelope that carries it for a short period. As a result, when you remove, add or change the protocol envelope the signature on the payload itself is still valid. Similarly, XML Signature provides flexibility when a signed XML form is delivered to a user. If the signature were over the full XML form, any change by the user to the default form values would invalidate the original signature. XML Signature permits both the original form and user's entries to be independently signed without invalidating the other.
IETF/W3C XML Signature Working Group mission: "The mission of this working group is to develop an XML compliant syntax used for representing the signature of Web resources and portions of protocol messages (anything referencable by a URI) and procedures for computing and verifying such signatures. This is a joint Working Group of the IETF and W3C. W3C is hosting the email list and WG site publicly in accordance with IETF procedure. Please see the Charter for further information on the constitution of this WG. This WG does not address broader XML security issues including XML encryption and authorization."
Bibliographic information: XML-Signature Syntax and Processing. W3C Recommendation 12-February-2002. Edited by Donald Eastlake, Joseph Reagle, and David Solo. [Major authorship contributions:] Mark Bartel, John Boyer, Barb Fox, Brian LaMacchia, and Ed Simon. Version URL: http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/. IETF: http://www.ietf.org/rfc/rfcXXXX [tbd]. Latest version URL: http://www.w3.org/TR/xmldsig-core/. Previous version URLs: http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/. http://www.ietf.org/rfc/rfc3075.txt [corresponds to CR-xmldsig-core-20001031].
Principal references:
- XML-Signature Syntax and Processing (XML Signature)
- Announcement 2002-02-14: "World Wide Web Consortium Issues XML Signature as a W3C Recommendation. Joint Work With IETF Produces XML-Based Solution for Digital Signatures, Foundation for Secure Web Services." [source]
- Testimonials for XML Signature Recommendation. From Baltimore Technologies, Capslock, IBM, Lexign, Microsoft Corporation, Phaos Technology Corp., PureEdge Solutions Inc., University of Siegen, Sterling Commerce, Sun Microsystems, Vordel, and XMLsec Inc.
- XML-Signature Interoperability Report
- XML Signature Working Group
- XML Digital Signatures Activity Statement
- Mailing list archives for 'xml-encryption'
- "XML Digital Signature (Signed XML - IETF/W3C)" - Main reference page.