W3C Technology and Society Domain

Previous XML Security WG News

2013-01-24: Call for Review: XML Signature 1.1, XML Encryption 1.1, XML Signature Properties Proposed Recommendations Published; Six Working Group Notes Published.

The XML Security Working Group has published three Proposed Recommendations today:

The group also published six Working Group Notes:


2012-11-13: The XML Security Working Group has published two Group Notes today.

2012-10-18: The XML Security Working Group has published today two Last Call Working Drafts, as well as two Working Group Notes in conjunction with these:

2012-10-15: The XML Security Patent Advisory Group (PAG) has published a report recommending that W3C continue work on the XML Encryption Syntax and Processing Version 1.1 without changes. The PAG did, however, recommend changes to the Candidate Recommendations of XML Signature Syntax and Processing Version 1.1 and XML Signature 2.0 enabling implementations to use alternative algorithms that are still interoperable. W3C launches a PAG to resolve issues in the event a patent has been disclosed that may be essential, but is not available under the W3C Royalty-Free licensing terms. See the original announcement of the PAG.

2012-07-12: The XML Security Working Group has published a Group Note of XML Signature Best Practices. This document collects best practices for implementers and users of the XML Signature specification. Most of these best practices are related to improving security and mitigating attacks, yet others are for best practices in the practical use of XML Signature, such as signing XML that doesn't use namespaces, for example. Learn more about the Security Activity.

2012-03-13: The XML Security Working Group has published the "XML Encryption 1.1" Candidate Recommendation. This is a new CR publication which reflects changes since the previous CR publication to address newly publicized chosen-ciphertext attacks against the CBC class of algorithms. Changes include making an authenticated encryption algorithm mandatory to implement (AES-128-GCM), updating the security considerations and adding additional algorithm choices to the RSA-OAEP key transport algorithm set to provide algorithm agility. Additional changes include various editorial improvements. Details of all changes are noted in the status section of the document.

The Working Group also has published a CR draft outlining the use of XML Signature 2.0 transforms in XML Encryption 1.1 - the "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms" Candidate Recommendation.

To address patent disclosures related to the XML Signature 1.1 and XML Encryption 1.1 specifications, the W3C has chartered a Patent Advisory Group.

2012-01-24: The XML Security Working Group invites implementation of three Candidate Recommendations: XML Signature Syntax and Processing 2.0, Canonical XML Version 2.0, and XML Signature Streaming Profile of XPath 1.0.

XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere. The XML Security 2.0 specifications are designed to update the XML Signature and Canonical XML specifications to improve performance, streaming support, robustness, and reduced attack surface.

The Working Group has also published a W3C Note: XML Security RELAX NG Schemas, a document that provides RELAX NG schemas corresponding to the normative XSD schemas for XML Signature 1.1, XML Encryption 1.1, and related specifications.

To address patent disclosures related to the XML Signature 1.1 and XML Encryption 1.1 specifications, W3C has chartered a Patent Advisory Group. Concerns related to XML Signature 1.1 may also apply to XML Signature 2.0.

Learn more about W3C's Security Activity.

2012-01-05: The XML Security Working Group has published a new Last Call Working Draft of "XML Encryption 1.1" to solicit review of changes since the previous CR publication. These changes:

  1. make the AES-128-GCM algorithm mandatory to implement, to address newly publicized chosen-ciphertext attacks against the CBC class of algorithms,
  2. add new security considerations related to chosen-ciphertext attacks, timing attacks, CBC block encryption vulnerabilities, and the insecure use of error messages,
  3. add a new algorithm for the RSA-OAEP key transport that does not require SHA-1 with the mask generation function, enabling use of various hash MGF combinations, and
  4. include various editorial corrections.

The XML Security WG is also soliciting review of the Last Call working draft of "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms". This specification brings the simplification benefits of the ongoing XML Security 2.0 effort to XML Encryption CipherReference transform processing. Feedback on both of these Last Call drafts is requested by 16 February 2012.

An update to the Note-track "XML Security Algorithm Cross-Reference" Working Draft reflects new algorithm definitions in XML Encryption 1.1.

The XML Security working group has also published First Public Working Drafts of "Test Cases for XML Encryption 1.1" and "Test Cases for Canonical XML 2.0" and encourages community participation in developing further tests and performing testing.

2011-08-30: Updated working draft of "XML Security RELAX NG Schemas" published. This version of this specification is significantly different from the previous version.

2011-08-09: Updated working draft of "XML Signature Best Practices" published. This draft

2011-07-07: First Draft of "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms Specification" Published:

The XML Security Working Group has published a First Public Working Draft of "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms" specification. This specification brings the benefits of the XML Signature 2.0 transform processing model to XML Encryption, reducing the attack surface and simplifying the processing model. Related 2.0 specifications are in Last Call, including XML Signature 2.0, Canonical XML 2.0 and the XML Signature Streaming Profile of XPath 1.0. The XML Security WG also has 1.1 specifications in Candidate Recommendation, including XML Signature 1.1, XML Encryption 1.1, XML Signature Properties, and XML Security Generic Hybrid Ciphers.

To address patent disclosures related to the XML Signature 1.1 and 2.0 and XML Encryption 1.1 specifications, W3C has chartered a Patent Advisory Group that is in progress. Learn more about W3C's Security Activity.

2011-04-26: Last Call: XML Signature, Canonicalization 2.0: The XML Security Working Group has published Last Call Working Drafts of XML Signature Syntax and Processing Version 2.0, Canonical XML 2.0, and XML Signature Streaming Profile of XPath 1.0. These specifications are part of an ongoing effort to rework XML Signature and Canonical XML to address issues around performance, streaming, robustness, and attack surface. With this Last Call, the Working Group is seeking broad feedback on the approach it has taken. Please comment by 24 May.

Additionally, the XML Security Working Group has updated Working Drafts of XML Security Algorithm Cross-Reference, XML Security 2.0 Requirements and Design Considerations, and XML Security RELAX NG Schemas documents. Learn more about XML.

2011-03-04: W3C Invites Implementer Feedback on XML Security 1.1 Specifications: The XML Security Working Group published four Candidate Recommendations today: XML Signature Syntax and Processing 1.1, XML Encryption Syntax and Processing 1.1, XML Security Generic Hybrid Ciphers, and XML Signature Properties. XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere. As companion documents, the Working Group has released new Working Drafts of XML Security 1.1 Requirements and Design Considerations and XML Security RELAX NG Schemas.

To address patent disclosures related to the XML Signature 1.1 and XML Encryption 1.1 specifications, W3C has chartered a Patent Advisory Group. Learn more about W3C's Security Activity.

2010-11-30: The XML Security Working Group has published a Last Call Working Drafts of XML Encryption Syntax and Processing Version 1.1 and XML Signature Syntax and Processing Version 1.1. The former specifies a process for encrypting data and representing the result in XML. The latter specifies XML digital signature processing rules and syntax. XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere. See the explanation of XML encryption changes and XML signature changes. Comments are welcome through 22 December.

2010-09-01: The XML Security Working Group has published five working drafts today. XML Signature 2.0, Canonical XML 2.0 and the XML Signature Streamable Profile of XPath 1.0 are part of an ongoing effort to rework XML Signature and Canonical XML in order to address issues around performance, streaming, robustness, and attack surface. The Working Group has also published updated Working Drafts for its XML Signature Best Practices and XML Security Relax NG Schemas Working Group Notes. Learn more about XML Security.

2010-05-13: The XML Security Working Group has published three Last Call Working Drafts: XML Encryption Syntax and Processing Version 1.1, XML Signature Syntax and Processing Version 1.1, and XML Security Generic Hybrid Ciphers. The group also published a Working Draft of XML Security Algorithm Cross-Reference. XML Encryption specifies a process for encrypting data and representing the result in XML. XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere. The third document augments XML Encryption by defining algorithms, XML types and elements necessary to enable use of generic hybrid ciphers in XML Security applications. The final document summarizes XML Security algorithm URI identifiers and the specifications associated with them. Last Call comments are welcome through 10 June. Learn more about the Security Activity.

2010-03-16: The XML Security Working Group published four Working Drafts today:

2010-03-05: The XML Security Working Group has published two Working Drafts: XML Signature Syntax and Processing Version 2.0 and Canonical XML Version 2.0. The first specifies XML syntax and processing rules for creating and representing digital signatures. XML Signatures can be applied to any digital content (data object), including XML. The second is a major rewrite of Canonical XML Version 1.1 to address issues around performance, streaming, hardware implementation, robustness, minimizing attack surface, determining what is signed and more. It also incorporates an update to Exclusive Canonicalization, effectively a 2.0 version, as well. Learn more about the Security Activity.

2010-02-04: The XML Security Working Group published two Last Call Working Drafts:

The group welcomes Last Call comments through 18 March. The group also published several other drafts today: XML Security 1.1 Requirements and Design Considerations, XML Security RELAX NG Schemas, XML Security 2.0 Requirements and Design Considerations, XML Signature Transform Simplification: Requirements and Design, and XML Signature Best Practices. Learn more about XML Technology.

2009-10-22: The XML Security Working Group has published two First Public Working Drafts: XML Signature Syntax and Processing Version 2.0 and Canonical XML Version 2.0. The former provides integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere. XML Signature 2.0 includes a new transform model designed to address requirements including performance, simplicity and streamability. This model is significantly different than in XML Signature 1.x, see Section 10, Differences from 1.x version. XML Signature 2.0 is designed to be backward compatible, however, enabling the XML Signature 1.x model to be used where necessary. Canonical XML Version 2.0 is a major rewrite of Canonical XML Version 1.1 to address issues around performance, streaming, hardware implementation, robustness, minimizing attack surface, determining what is signed and more. It also incorporates an update to Exclusive Canonicalization, effectively a 2.0 version, as well. (Permalink to news announcement)

2009-07-31: The XML Security Working Group published six documents related to XML signature and encryption. (Permalink to news announcement)

2009-04-30: The Web Applications Working Group has published the Last Call Working Draft of Widgets 1.0: Digital Signatures. This document defines a profile of the XML Signature Syntax and Processing 1.1 specification to allow a widget package to be digitally signed. Widget authors and distributors can digitally sign widgets as a mechanism to ensure continuity of authorship and distributorship. A user agent can use the digital signature to verify the integrity of the widget package and to confirm the signing key(s). Comments are welcome through 01 June. The Working Group also published an updated Working Draft of Widgets 1.0: Requirements. Learn more about the Rich Web Client Activity. (Permalink to W3 news announcement.)

2009-04-30: The XML Security Working Group has published a Working Draft of XML Signature Properties. This document outlines proposed standard XML Signature Properties syntax and processing rules and an associated namespace for these properties. The intent is these can be composed with any version of XML Signature using the XML SignatureProperties element. Learn more about the Security Activity. (Permalink to W3C news announcement)

2009-02-26: The XML Security Working Group has published a set of eight Working Drafts. The XML Signature 1.1 and XML Encryption 1.1 First Public Working Drafts make changes to the default sets of cryptographic algorithms in both specifications. XML Security Use Cases and Requirements and XML Signature Transform Simplification: Requirements and Design are documents that we expect to help guide the group's work on a future version of the XML Security specifications that might make more radical changes than the 1.1 series of these specifications. The Working Group would like to receive early feedback on these four drafts.

Additionally, the XML Security Derived Keys specification introduces mark-up for key derivation, for use with both XML Signature and XML Encryption. XML Signature Properties defines commonly used signature properties. XML Security Algorithms is a cross-reference for the algorithms and their identifiers used with the XML security specifications, bringing in one place information located in a number of documents. XML Signature Best Practices is a revised Working Draft for Best Practices in using the XML Signature specification. (Permalink)

These Working Drafts are currently open for public comment - to send external comments to the Working Group, please use the mailing list public-xmlsec-comments @ w3.org.

2009-11-18 First Public Working Draft of Best Practices for XML Signature published.


Chair: Frederick Hirsch
Team Contact and Security Activity Lead: Thomas Roessler
$Id: news.html,v 1.14 2013-04-24 16:48:00 fhirsch3 Exp $