W3C

World Wide Web Consortium Issues XML Encryption and Decryption Transform as W3C Recommendations

Combined with XML Signature, XML Encryption and Decryption Transform Deliver Secure XML Documents

Contact Americas, Australia --
Janet Daly, <janet@w3.org>, +1.617.253.5884 or +1.617.253.2613
Contact Europe --
Marie-Claire Forgue, <mcf@w3.org>, +33.492.38.75.94
Contact Asia --
Saeko Takeuchi <saeko@w3.org>, +81.466.49.1170

(also available in French and Japanese)

Testimonials are also available.


http://www.w3.org/ -- 10 December 2002 -- The World Wide Web Consortium (W3C) has issued the XML Encryption Syntax and Processing specification and the Decryption Transform for XML Signature as W3C Recommendations, representing cross-industry agreement on an XML-based approach for securing XML data in a document.

A W3C Recommendation indicates that a specification is stable, contributes to Web interoperability, and has been reviewed by the W3C Membership, who favor its widespread adoption.

What is Encryption?

Encryption is the process of scrambling information such that it is only readable by intended recipients, after unscrambling. While an encrypted message or file may be accessible to a wide community, such as network intermediaries, it is not meaningful to those intermediaries, or to eavesdroppers who may be watching information packets travel across a network. Encrypted data has been rendered opaque by mathematically encrypting it in a way that makes it unreadable to anyone except those possessing the secret, or "key" to decrypt it.

What is XML Encryption, and Why Is It Needed?

When exchanging sensitive data (e.g., financial or personal information) over the Internet, senders and receivers require secure communications. Although there are deployed technologies that allow senders and receivers to secure a complete data object or communication session, only W3C XML Signature (together with the new W3C XML Encryption Recommendation) permits users to selectively sign and encrypt portions of XML data. For example, a user of a Web services protocol such as SOAP may want to encrypt the payload part of the XML message but not the information necessary to route the payload to its recipient. Or, an XForms application might require that the payment authorization be digitally signed, and the actual payment method, such as a credit card number, be encrypted. And, of course, XML Encryption can be used to secure complete data objects as well such as such as an image or sound file.

The associated "Decryption Transform for XML Signature" Recommendation permits one to use encryption with XML Signature. One feature of XML Signature is to ensure a document's integrity: to detect if the document is altered. However, many applications require the ability to first sign an XML document and then encrypt parts of it, altering the document. The Decryption Transform lets the receiver know which portions of the document to decrypt, restoring the document to its unaltered state, before it can check the signature.

XML Encryption Already Implemented, with Broad Support from Industry Leaders and Cryptography Experts

Numerous applications and other specifications are already utilizing XML Encryption, as shown in the Implementation and Interoperability Report filed by the W3C XML Encryption Working Group. In particular, Web services specifications that need to secure their payloads will be utilizing this Recommendation. Many companies have stated support and plans to implement XML encryption.

XML Encryption was developed by the W3C XML Encryption Working Group, consisting of both individuals and the following W3C Members: Baltimore Technologies; BEA Systems; DataPower; IBM; Microsoft; Motorola; University of Siegen; Sun Microsystems; and VeriSign.

About the World Wide Web Consortium [W3C]

The W3C was created to lead the Web to its full potential by developing common protocols that promote its evolution and ensure its interoperability. It is an international industry consortium jointly run by the MIT Laboratory for Computer Science (MIT LCS) in the USA, the National Institute for Research in Computer Science and Control (INRIA) in France and Keio University in Japan. Services provided by the Consortium include: a repository of information about the World Wide Web for developers and users, and various prototype and sample applications to demonstrate use of new technology. To date, nearly 450 organizations are Members of the Consortium. For more information see http://www.w3.org/