XML Signature is an New W3C Recommendation

On 14 February 2002, the W3C announced XML Signature as a W3C Recommendation. XML Signatue was developed by the joint IETF/W3C XML Signature Working Group. This was the first joint W3C/IETF Working Group, and is the first W3C technical Working Group to operate entirely as a public group. This new working group model provided independent developers with a clear window on the XML Signature work in all stages of development, and brought a wide range of implementation experience. Participants in the joint IETF/W3C Working Group included representatives from organizations whose lead research and commercial work in the area of digital signatures and security, including Accelio, Baltimore, Capslock, Citigroup, Corsec, Georgia State University, IAIK TU Graz, IBM, Microsoft, Motorola, Pure Edge, Reuters Health, Signio, Sun Microsystems, University of Siegen, University of Waterloo, VeriSign Inc., and XMLsec.

XML digital signatures provide integrity, message authentication, and signer authentication services and are essential to the success of Web Services. Digital signatures are created and verified using cryptography, the branch of applied mathematics concerned with transforming messages into seemingly unintelligible forms and then back again. Digital signatures are created by performing an operation on information such that others can confirm both the identity of the signer, and the fidelity of the information. This capability is important to a growing number of XML protocol, publishing and commerce applications.

Signing an XML File

There are already a number of technologies that one can use to sign an XML File, but the new W3C XML Signature recommendation brings additional benefits.

XML Signature can be implemented with and use many of the same toolkits one is using for XML applications
XML Signature can process XML as XML instead of a single large document. This means multiple users may apply signatures to sections of XML, not simply the whole document.

Of the two advantages XML Signature brings, the ability to sign sections of a document appears to bring the largest benefit. The ability to sign sections of a document without invalidating other portions is invaluable to commercial applications that route XML documents through numerous intermediaries.

One may independently sign an XML payload from the XML envelope that carries it for a short period. As a result, when you remove, add or change the protocol envelope the signature on the payload itself is still valid. In addition, XML Signature provides flexibility when a signed XML form is delivered to a user. If the signature were over the full XML form, any change by the user to the default form values would invalidate the original signature. XML Signature permits both the original form and user's entries to be independently signed without invalidating the other.

Support for XML Encryption and Key Management

In addition to offering benefits of its own, XML Signature is slated to be the foundation for other W3C work including XML Encryption, providing a mechanism to secure parts of XML documents, and XML Key Management, providing a simple protocol for lightweight XML applications to obtain the key necessary for signature and encryption.