World Wide Web Consortium Issues XML Signature as a W3C Recommendation
Joint work with IETF produces XML-based solution for digital signatures, foundation for Secure Web services
http://www.w3.org/ -- 14 February 2002 -- The World Wide Web Consortium (W3C) has issued XML-Signature Syntax and Processing (XML Signature) as a W3C Recommendation, representing cross-industry agreement on an XML-based language for digital signatures. A W3C Recommendation indicates that a specification is stable, contributes to Web interoperability, and has been reviewed by the W3C Membership, who favor its widespread adoption.
"XML Signature is a critical foundation on top of which we will be able to built more secure Web services," explained Tim Berners-Lee, W3C Director. "By offering basic data integrity and authentication tools, XML Signature provides new power for applications that enable trusted transactions of all sorts."
Digital Signatures are Essential to Web Services
Digital signatures are created and verified using cryptography, the branch of applied mathematics concerned with transforming messages into seemingly unintelligible forms and then back again. Digital signatures are created by performing an operation on information such that others can confirm both the identity of the signer, and the fidelity of the information. This capability is important to a growing number of XML protocol, publishing and commerce applications.
XML Signature Combines Data Integrity with Extensibility
While there are technologies one can use to sign an XML file, XML Signature brings two additional benefits.
First, XML Signature can be implemented with and use many of the same toolkits one is using for XML applications.
Second, XML Signature can process XML as XML instead of a single large document. This means multiple users may apply signatures to sections of XML, not simply the whole document.
As more commercial applications are used to send XML documents through a series of intermediaries, the ability to sign sections of a document without invalidating other portions is invaluable, whether for invoices, orders, or applications.
One may independently sign an XML payload from the XML envelope that carries it for a short period. As a result, when you remove, add or change the protocol envelope the signature on the payload itself is still valid.
Similarly, XML Signature provides flexibility when a signed XML form is delivered to a user. If the signature were over the full XML form, any change by the user to the default form values would invalidate the original signature. XML Signature permits both the original form and user's entries to be independently signed without invalidating the other.
And of course, while XML Signature is tailored to XML processing, it can be used to sign any data, such as a PNG image.
XML Signature Supports XML Encryption and Key Management
XML Signature serves as the foundation for other ongoing W3C work including XML Encryption, which provides a mechanism to secure parts of XML documents, and XML Key Management, which provides a simple protocol for lightweight XML applications to obtain the key necessary for signature and encryption.
IETF/W3C Brings Together Industry Experts; Public Review
The XML Signature Working Group is the first joint W3C/IETF Working Group, and is the first W3C technical Working Group to operate entirely as a public group. This provided independent developers with a clear window on the XML Signature work in all stages of development, and brought a wide range of implementation experience. XML Signature already enjoys significant support and deployment, as highlighted in the testimonials.
Participants in the joint IETF/W3C Working Group included representatives from organizations whose lead research and commercial work in the area of digital signatures and security, including Accelio, Baltimore, Capslock, Citigroup, Corsec, Georgia State University, IAIK TU Graz, IBM, Microsoft, Motorola, Pure Edge, Reuters Health, Signio, Sun Microsystems, University of Siegen, University of Waterloo, VeriSign Inc., and XMLsec.
About the World Wide Web Consortium [W3C]
The W3C was created to lead the Web to its full potential by developing common protocols that promote its evolution and ensure its interoperability. It is an international industry consortium jointly run by the MIT Laboratory for Computer Science (MIT LCS) in the USA, the National Institute for Research in Computer Science and Control (INRIA) in France and Keio University in Japan. Services provided by the Consortium include: a repository of information about the World Wide Web for developers and users, and various prototype and sample applications to demonstrate use of new technology. To date, over 500 organizations are Members of the Consortium. For more information see http://www.w3.org/
- Contact America --
- Janet Daly, <janet@w3.org>, +1.617.253.5884 or +1.617.253.2613
- Contact Europe --
- Marie-Claire Forgue, <mcf@w3.org>, +33.492.38.75.94
- Contact Asia --
- Saeko Takeuchi <saeko@w3.org>, +81.466.49.1170
Testimonials for XML Signature Recommendation
In English: Baltimore Technologies | Capslock | IBM | Lexign | Microsoft Corporation | Phaos Technology Corp. | PureEdge Solutions Inc. | University of Siegen | Sterling Commerce | Sun Microsystems | Vordel | XMLsec Inc.
In French: XMLsec Inc.
Baltimore Technologies
Baltimore has aggressively pushed the adoption of open standards and interoperability since its inception. XML is proving to be a critical enabling technology for the widespread adoption of digital security, and XML Signatures are a fundamental component of these security technologies. We are pleased to have played an active role in shaping the XML Signature standard, and look forward to deploying it as a core technology in our product offerings.
-- Merlin Hughes, Chief Technical Evangelist, Baltimore TechnologiesCapslock
Capslock is very pleased to see the XML-Signature Syntax become officially approved and we are honored to have participated in the successful process. XML-Signature allows interoperability and economical broad-scale deployment of digital signatures in applications involving business critical information, transactions and operational workflows. Now, demands set forth by the actual operational processes and information structures can efficiently be answered by the technology, for instance, by providing means for multiple signatures, as is often required in applications. Implemented in the Ubisecure Signature component, XML-Signature will be distributed as a standard part of solutions and products provided by Capslock and our Partners.
-- Charles Sederholm, CEO, Capslock, Inc.IBM
IBM applauds the cooperative effort between the IETF and the W3C that led to the development XML Digital Signature. Open industry standards in the security area are a top priority for our customers as we advance the standardization program for Web services in 2002. XML Digital Signature is a critical foundational technology for the security work yet to come.
-- Robert S. Sutor, Director of e-business Standards Strategy, IBMLexign
Lexign endorses the XML Signature specification and is pleased to see it approved as a W3C Recommendation. Lexign considers XML Signature to be an essential part of its Web solution architecture. XML Signature allows Lexign to extend the XML technology from the Forms, Workflow and Storage components of its Suite to its digital signature and security components, resulting in an open and extensible solution.
-- Tamir Orbach, CTO, LexignMicrosoft Corporation
The release of XML Signatures as a W3C Recommendation represents an important stage in the development of secure XML Web services. By using XML D-Sig, developers now have a mechanism for ensuring the integrity of messages they send over unsecured networks. The W3C's current work on XML Encryption will soon enable confidentiality, too. Microsoft has been a strong supporter of these initiatives and is pleased to announce that XML Signatures are a feature of Visual Studio .NET and the .NET Framework.
-- Robert Wahbe, General Manager, XML Web services, Microsoft CorporationPhaos Technology Corp.
Phaos Technology is excited to see the XML Signature 1.0 specification progress to W3C Recommendation status. XML-DSIG lays a solid foundation for XML security, upon which other important standards like XML Encryption and XML Key Management are being built. With the widespread use of XML in data communication, the crucial data integrity capabilities provided by XML-DSIG are highly welcome. As a leading provider of Java security software, Phaos is pleased to announce its support for these strong new specifications with the introduction of the Phaos XML Toolkit. As part of our continuing commitment to open security standards, the Phaos XML Toolkit allows Java developers to quickly and easily incorporate XML signatures and encryption into their applications across a wide range of platforms and environments.
-- Ari Kermaier, Senior Software Engineer, Phaos Technology Corp.PureEdge Solutions Inc.
PureEdge Solutions is very pleased that XML Signature has become a W3C Recommendation. The collaborative and disciplined W3C process has brought together the industry's best, resulting in a specification that has the expressive power to handle the most demanding application scenarios that we have encountered since first applying digital signatues to XFDL in early 1998. We are honored to have participated in co-authoring this specification, we are privileged to have worked with the many dedicated professionals in the working group, and we look forward to incorporating a best-of-breed implementation of XML Signature into our XFDL-based Internet Commerce System product line.
-- John Boyer, Ph.D., Senior Product Architect, PureEdge Solutions Inc.University of Siegen
The W3C XML Signature recommendation is a basic building block for bringing trust and confidence to a wide range of new applications. The abilities of using multiple signatures in workflow applications or signing specific parts of structured documents will revolutionize the way on how we use digital signatures. Embedding a signature into a document brings us very close to the way we handle handwritten signatures today. We hope that donating our open-source XML Signature implementation to the XML Apache project will help to wide-spread this emerging and important technology and be a trigger for more academic research in the field of XML related security technologies.
-- Christian Geuer-Pollmann, Committer to the XML Apache Project, Institute for Data Communications Systems, University of SiegenSterling Commerce
Strong security must be in place before the Internet promise of inexpensive and pervasive B2B integration can be realized. Compromise in the area of security has potentially serious legal, image and client relationship implications - prospects our customers are well aware of and concerned about. While numerous advances are occurring in the area of Internet B2B Integration, advances in security have lagged behind. XML payloads and Web Services architectures introduce additional security challenges. The W3C XML Signature specification ensures the integrity of information exchanged over the Internet in a standardized manner to ensure interoperability. Sterling Commerce supports XML Signature as vital in the protection of XML payloads in the next generation Web Services integration scenarios. Our STERLING:Integrator solution leverages XML Signature to provide both secure application and Web Services oriented B2B integration.
-- Brian Gibb, Director, Standards & Applied Technology, Sterling CommerceSun Microsystems
Sun Microsystems strongly supports the publication of XML-Signature Syntax and processing as a W3C Recommendation. Through the Java Community Process, we are actively working with the Java(TM) Community to define a standard high-level Java API for generating and validating XML Signatures based on the W3C specification. We expect that the Java XML Signature APIs will be an important building block for creating secure web services.
-- Sean Mullan, Co-specification lead of JSR 105 (Java XML Digital Signature API), and Raghavan Srinivas, Software Engineer; Sun MicrosystemsVordel
The advent of Web Services presents a need for a whole new type of security. This sits at a higher level than firewalls or SSL - because security applications for Web Services must be capable of "dipping into" the stream of data which is passing through the web ports and checking it against a list of security rules.The XML signature is an important technology both in itself and as a vital enabler for this new "intelligent" way of addressing security requirements.
-- Mark O'Neill, CTO at Web services security firm, VordelXMLsec Inc.
The XML Signature Recommendation is a break-through in Web security technology. With its unique capabilities such as covering multiple resources in one signature and being able to selectively include or exclude what parts of documents are signed, XML Signature exemplifies the incredible synergy of bringing XML and security together. HTML and XML created a revolution in the usability and capability of the Internet; now we are doing the same in the realm of security. XMLsec Inc. applauds the W3C for the fine leadership it has shown in the area of Web security including the latest initiatives in XML Encryption, XML Key Management Services, and secure SOAP. 'XML Security is security designed for the Web' and so XMLsec will continue to work with the W3C to ensure trust and confidence in the Web.
-- Ed Simon, President and CEO, XMLsec Inc.XMLsec Inc.
La recommandation de XML Signature est un grand avancement en technologie de sécurité de Web. Avec ses capacités uniques telles que couvrir les ressources multiples dans une signature seule et pouvoir sélectivement inclure ou exclure quelles parties de documents sont signées, la XML Signature exemplifie la synergie incroyable de réunir XML et sécurité. Le HTML et le XML ont créé une révolution dans la accessibilité et la capacité de l'Internet; maintenant nous faisons la même chose dans la zone de la sécurité. XMLsec Inc. applaudit le W3C pour la conduite fine qu'il a montrée dans le domaine de la sécurité de Web comprenant les dernières initiatives dans le chiffrement de XML (XML Encryption), les services de gestion des clés de XML (XML Key Management Services), et le SOAP sûr. La sécurité de XML est sécurité dessinée pour le Web et ainsi XMLsec continuera à travailler avec le W3C pour assurer la confiance en Web.
-- Ed Simon, President and CEO, XMLsec Inc.