IBM Paper for the

April 1999 W3C Signed XML Workshop

Donald E. Eastlake III   <dee3@us.ibm.com>   +1 914-784-7913

March 1999

[Note: This paper is for the use of the World Wide Web Consortium technical workshop on Signed XML to be held April 15/16 1999 in Cambridge, Massachusetts. It represents IBM's views for that context only. Internet drafts referred to herein are IETF works in progress subject to withdrawl or revision at any time.]

  1. Introduction

    IBM is pleased to participate in the April 1999 World Wide Web Consortium (W3C) Workshop on Signed XML (eXtensible Mark up Language). The provision of interoperable security services will be vital for XML to reach its full potential, particularly in any area where risk management or confidentiality are important, including e-Commerce.

    IBM offers its DOM HASH technology developed by the IBM Tokyo Research Laboratory and its PKI Role and Trust Establishment technology developed by the IBM Haifa Research Laboratory, described in section 3 below, as input for discussion at this workshop.

    IBM also has particular comments on the elements involved in and closely related to secure XML and the best venue for its rapid and effective interoperable standarization, as given in sections 4 and 5 below.

  2. The Importance of Secure XML

    Many parts of the applications world are moving toward XML syntax. One area where a particularly pressing and immediate need is felt for secure XML is the area of financial protocols.

    The eCheck standard produced by the Financial Services Technology Consortium (FSTC) may move to XML and considers signatures critical. Other standards such as the business-to-business Open Buying on the Internet (OBI) and the consumer-to-financial-institution Interactive Financial Exchange (IFX) may follow a similar path. The consumer-to-business Internet Open Trading Protocol (IOTP) under the Internet Engineering Task Force (IETF), is already in XML syntax and has such an urgent need for digitially signed XML for pilot implementation that it has adopted a specific signature syntax for IOTP v1.0 in advance of general standarization. (However, the IOTP working group has indicated it will adopt any effective general standard that emerges for XML signatures for future versions of IOTP.)

    Additional references for a few eCommerce potential user protocols of secure XML:
    Protocol/Method Current Organization References
    eCheck

    Electronic Check

    FSTC

    Financial Services Technology Consortium

    www.echeck.org
    OBI

    Open Buying on the Internet

    OBI, A CommerceNet Alliance Partner OBI Consortium
    IOTP

    Internet Open Trading Protocol

    IETF

    Internet Engineering Task Force

    draft-ietf-trade-iotp-v1.0-dsig-00.txt

    draft-ietf-trade-iotp-v1.0-protocol-03.txt

    IFX

    Interactive Financial eXchange

    BITS

    Banking Industry Technology Secretariate

    Interactive Financial Exchange Forum

    The 157 persons attending a break-out session on this topic of the IETF meeting in Mineapolis March 14-19 earlier this month unanimously considered signed XML important and of those expressing an opinion on urgency, about 75% thought it urgent that such a standard be promulgated before the end of calendar 1999.

    While integrity and authentication may be the most immediate requirements, confidentiality will also be required. Many sensitive applications, such as the SET payment protocol or those which store or transmit personal or national security information have data elements spanning a wide range in sensitivity. In some cases, a document may be stored by or transmitted through a party which is prohibited from learning the content of part of that document. These applications, to be implemented in XML, will require a standard syntax for encrypted XML.

  3. IBM Contributions

  4. What is Secure XML?

    Specification of secure XML for practical application can usefully be divided into several areas.

  5. Standardization Venues

    There are a number of venues that could be considered for standardization of XML security. Of these, the most obvious are the W3C, as the home of XML, and the IETF, as the home of most Internet message and transmission standards including those for character encoded secure email. However, it should be noted that serious consideration is being given to work on application specific XML security syntaxes in other organizations which are developing specific XML encoded protocols or messages. It can be hoped that the prompt development of a general and powerful secure XML syntax standard will head off such redundant efforts.

    The best venue for standardization of the lower level canonicalization and cryptographic syntax aspects of secure XML is the Internet Engineering Task Force (IETF). It has greater cryptographic expertise than the W3C including the development of unambiguous, secure, and interoperable specifications for a cryptographic message syntax. Drafts on potential technology at this level are already in the IETF process as individual contributions.

    Application level standards, such as those involving variously authenticated assertions for use in an inference engine or security policy standards like that suggested in the IBM Haifa trust management work could be done in various venues. However, to the extent that they relate to web content meta-data and the like, i.e., the sort of thing for which the W3C has adopted its Resource Description Framework (RDF) Model and Syntax Specification, the W3C would be the best venue.