The W3C XML Encryption Working Group has published an updated XML Encryption Requirements document and has approved the release of XML Encryption Syntax and Processing and Decryption Transform for XML Signature as Candidate Recommendation specifications. The working group expects to meet the exit criteria for the two CRs, but solicits additional feedback (until April 25, 2002) based upon on implementation experience. The requirements specification outlines "the design principles, scope, and requirements for XML Encryption; it includes requirements as they relate to the encryption syntax, data model, format, cryptographic processing, and external requirements and coordination." The core specification for XML Encryption Syntax and Processing defines "a process for encrypting data and representing the result in XML. The data may be arbitrary data (including an XML document), an XML element, or XML element content. The result of encrypting data is an XML Encryption EncryptedData element which contains (via one of its children's content) or identifies (via a URI reference) the cipher data. When encrypting an XML element or element content the EncryptedData element replaces the element or content (respectively) in the encrypted version of the XML document. When encrypting arbitrary data (including entire XML documents), the EncryptedData element may become the root of a new XML document or become a child element in an application-chosen XML document." The Decryption Transform document " specifies an XML Signature "decryption transform" that enables XML Signature applications to distinguish between those XML Encryption structures that were encrypted before signing (and must not be decrypted) and those that were encrypted after signing (and must be decrypted) for the signature to validate."

Candidate Recommendation phase exit criteria. For the XML Encryption Syntax and Processing CR, the exit criteria is "at least two interoperable implementations over every feature, one implementation of all features, and one report of satisfaction in an application context (e.g. SOAP, SAML, etc.)... Specific areas where [the WG] would appreciate further experience are: (1) Do implementations achieve satisfactory performance? (2) Does the specification satisfy application scenario requirements for encrypting portions of XML, particularly as they relate to document validity? For the Decryption Transform for XML Signature CR, the exit criteria is "at least two interoperable implementations of this transform with acceptable performance. The interoperability of this specification will be demonstrated as an algorithm in the XML Encryption Syntax and Processing Interoperability Report. Specific areas where [the WG] would appreciate further experience are: (1) Do implementations achieve satisfactory performance? (2) Does the specification satisfy application scenario requirements for encrypting and signing portions of XML?"

Bibliographic information:

• XML Encryption Requirements. W3C Note 04-March-2002. Version URL: http://www.w3.org/TR/2002/NOTE-xml-encryption-req-20020304. Latest version URL: http://www.w3.org/TR/xml-encryption-req. Previous version URL: http://www.w3.org/TR/2001/WD-xml-encryption-req-20011018. Edited by Joseph Reagle.
• XML Encryption Syntax and Processing. W3C Candidate Recommendation 04-March-2002. Edited by Donald Eastlake and Joseph Reagle. Principal authors: Takeshi Imamura, Blair Dillaway, and Ed Simon. Version URL: http://www.w3.org/TR/2002/CR-xmlenc-core-20020304/. Latest version URL: http://www.w3.org/TR/xmlenc-core/. Previous version URL: http://www.w3.org/TR/2001/WD-xmlenc-core-20011018/.
• Decryption Transform for XML Signature. W3C Candidate Recommendation 04-March-2002. Edited by Takeshi Imamura and Hiroshi Maruyama. Version URL: http://www.w3.org/TR/2002/CR-xmlenc-decrypt-20020304. Latest version URL: http://www.w3.org/TR/xmlenc-decrypt. Previous version URL: http://www.w3.org/TR/2001/WD-xmlenc-decrypt-20011018.

From the W3C XML Encryption Activity Statement: "Encryption renders data (plain-text) confidential (cipher-text) such that it can be safely stored or transmitted and only the intended recipients can restore the data to its original form. This feature is important given that many applications are using the Internet to exchange sensitive information such as payment and purchase orders. In view of recent Web technology developments, the work of the XML Encryption Activity is to specify XML encryption syntax and processing for encrypting XML in whole or part (e.g., element). This can then be used by XML applications, such as XML Protocol..."