WWW8: XML-DSig

Report on W3C signed-XML99 Workshop

I am going to use the next 15 minutes to briefly review the results of the W3C XML-DSig.

Long standing interest in signatures as applied to "metadata", particularly XML.
IETF convened BoF in March, great deal of interest, but decided to postpone chartering of group until W3C workshop.
W3C workshop in April, many of the same folks, but a day and a half to address many issues.
Anything I say here is my own opinion; it is not a formal W3C position, nor a representation of WG consensus on policy or technical direction.

Present work:

RDF Data Model: yes.
RDF Syntax: people are interested, needs further thought.
KISS/simple-semantic: data is associated with a key by signing a hash of the document with that key.

The DSig manifest tells you what is being signed, a list of URIs (with hashes).
signed-XML applications are ignorant of any content semantics outside of the manifest, including XML. (Doesn't necessarily expand entities nor chase links, might understand namespaces.)
To use RDF terminology, everything referenced by the manifest is a literal. signed-XML will use a data model (and maybe even some RDF syntax) so its semantics will be expressed, but signed-XML will make no RDF inferences itself -- though people are certainly welcome to do this in their applications.

Is the job to figure out how to sign chunks of XML (just use S/MIME), or to create an XML signature format.
- Does the scope of either include things other than XML?
People want to sign chunks of XML, and to have the data remain as XML, it should also be able to sign any Web resource.
Additionally, they'd like the data type to stay the same: a signed_XML_form is still recognizable as a form to form applications.
The overlap between cryptographic semantics as expressed in the XML versus ASN1.DER encoded blobs is still fuzzy.