The World Wide Web Consortium (W3C) has announced the publication of XML Encryption Syntax and Processing and Decryption Transform for XML Signature as W3C Recommendations, signifying a "cross-industry agreement on an XML-based approach for securing XML data in a document. A W3C Recommendation indicates that a specification is stable, contributes to Web interoperability, and has been reviewed by the W3C Membership, who favor its widespread adoption." The Encryption document "specifies a process for encrypting data and representing the result in XML. The data may be arbitrary data (including an XML document), an XML element, or XML element content. The result of encrypting data is an XML Encryption element which contains or references the cipher data." The Decryption Recommendation "specifies an XML Signature 'decryption transform' that enables XML Signature applications to distinguish between those XML Encryption structures that were encrypted before signing (and must not be decrypted) and those that were encrypted after signing (and must be decrypted) for the signature to validate."
XML Encryption Syntax and Processing. W3C Recommendation 10-December-2002. Edited by Donald Eastlake and Joseph Reagle. Authors: Takeshi Imamura, Blair Dillaway, and Ed Simon. Version URL: http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/. Latest Version URL: http://www.w3.org/TR/xmlenc-core/. Previous Version URL: http://www.w3.org/TR/2002/PR-xmlenc-core-20021003/.
Decryption Transform for XML Signature. W3C Recommendation 10-December-2002. Edited by Merlin Hughes Takeshi Imamura, and Hiroshi Maruyama. Version URL: http://www.w3.org/TR/2002/REC-xmlenc-decrypt-20021210. Latest Version URL: http://www.w3.org/TR/xmlenc-decrypt. Previous Version URL: http://www.w3.org/TR/2002/PR-xmlenc-decrypt-20021003.
From the text of the announcement:
What is Encryption? "Encryption is the process of scrambling information such that it is only readable by intended recipients, after unscrambling. While an encrypted message or file may be accessible to a wide community, such as network intermediaries, it is not meaningful to those intermediaries, or to eavesdroppers who may be watching information packets travel across a network. Encrypted data has been rendered opaque by mathematically encrypting it in a way that makes it unreadable to anyone except those possessing the secret, or 'key' to decrypt it."
What is XML Encryption, and Why Is It Needed? "When exchanging sensitive data (e.g., financial or personal information) over the Internet, senders and receivers require secure communications. Although there are deployed technologies that allow senders and receivers to secure a complete data object or communication session, only W3C XML Signature (together with the new W3C XML Encryption Recommendation) permits users to selectively sign and encrypt portions of XML data. For example, a user of a Web services protocol such as SOAP may want to encrypt the payload part of the XML message but not the information necessary to route the payload to its recipient. Or, an XForms application might require that the payment authorization be digitally signed, and the actual payment method, such as a credit card number, be encrypted. And, of course, XML Encryption can be used to secure complete data objects as well such as such as an image or sound file."
The associated "Decryption Transform for XML Signature" Recommendation permits one to use encryption with XML Signature. One feature of XML Signature is to ensure a document's integrity: to detect if the document is altered. However, many applications require the ability to first sign an XML document and then encrypt parts of it, altering the document. The Decryption Transform lets the receiver know which portions of the document to decrypt, restoring the document to its unaltered state, before it can check the signature.
"XML Encryption is already implemented, with broad support from industry leaders and cryptography experts. Numerous applications and other specifications are already utilizing XML Encryption, as shown in the Implementation and Interoperability Report filed by the W3C XML Encryption Working Group. In particular, Web services specifications that need to secure their payloads will be utilizing this Recommendation. Many companies have stated support and plans to implement XML encryption."
"XML Encryption was developed by the W3C XML Encryption Working Group, consisting of both individuals and the following W3C Members: Baltimore Technologies; BEA Systems; DataPower; IBM; Microsoft; Motorola; University of Siegen; Sun Microsystems; and VeriSign."
- Announcement 2002-12-10: "World Wide Web Consortium Issues XML Encryption and Decryption Transform as W3C Recommendations. Combined with XML Signature, XML Encryption and Decryption Transform Deliver Secure XML Documents."
- Testimonials for XML Encryption and Decryption Transform. From DataPower Technology, IBM, Phaos Technology Corporation, Microsoft Corporation, Sarvega Inc., webMethods Inc., XMLsec Inc., XML Security Library.
- XML Encryption Syntax and Processing. W3C Recommendation 10-December-2002.
- Decryption Transform for XML Signature. W3C Recommendation 10-December-2002.
- W3C XML Encryption Implementation and Interoperability Report. Edited by Joseph Reagle.
- W3C XML Encryption Working Group
- W3C XML Encryption Activity Statement
- XML Encryption Requirements
- W3C XML Encryption Working Group Charter
- Mailing list archives for 'xml-encryption'
- Xenc Patent Disclosures
- The Matrix of W3C specifications
- "XML and Encryption" - Main reference page.
- XML Security - Reference section.