GlobeSet is pleased to participate in the XML-DISG'99 Work Shop organized by the World Wide Consortium (W3C) and willing to share its experience and contribute previous works to the definition of interoperable solutions in the area of digital signatures and other security services for XML.
Over the past three years, GlobeSet has contributed to the definition and implementation of interoperable solutions for enabling secure transactions over open networks. At the same time, GlobeSet has witnessed the irresistible shift of the Industry from ASN1 to XML, which is anticipated to become the de facto standard for structuring data exchanged and served over the World Wide Web. Unfortunately, there is still no such things as PKCS7[1] or CMS[2] for XML. Uunable to allocate adequate resources to the definition of a Signed XML standard, the many working groups involved with this technology prefer to temporarily elect proprietary solutions.
Alarmed by the rapid multiplication of such proprietary solutions, GlobeSet decided mid-1998 to engage in the formulation of a standard proposal for Signed XML[3].
The objective of this proposal were to define syntax and procedures for the computation, verification, and encoding of digital signatures applicable to general XML documents. The specifications were drafted in light of the requirements gathered while reviewing diverse projects and alternative proposals such as IOTP[4], BIPS[5], SDML[6], FSML[7], and XMLDSIG[8]. Previous experience with ASN1 cryptographic syntaxes played also an important role in the specifications.
The driving requirements of the proposals were:The primary focus of the initial draft was to propose a syntax and related procedures to address the many requirements listed above. Performance and efficiency were not the primary concern, and this transpired in the comments addressed to XML-DSIG mailing list. Obviously, it seems that the proposal covers most of the functional requirements exposed by the people that have commented, but a large majority have found the syntax too verbose. Though, this is due in part to the adoption of XML (much more verbose that ASN1 for example), it is nonetheless undeniable that many aspects of the syntax should be optimized.
On the other hand, it appears that many people might be confused with what should be a Signature Standard. In fact, they tend to assume that a Signature Standard should address every single concern they may have faced when building authentication in some XML application. Unfortunately, there is no such Signature Standard. A Signature Standard consists of a core that could be leveraged for building authentication. It is rarely sufficient for any particular application and should be complemented by some application specifics. A parallel might be established with ASN1 where CMS[2] defines a syntax for cryptographic envelopes and S/MIME[9] further defines how such envelopes shall be used for securing email messages.
The full text of this initial proposal has been submitted as an individual draft to the IETF and is currently available at http://www.ietf.org/internet-drafts/draft-brown-xml-dsig-00.txt. Unfortunately, the published document does not reflect the lastest revisions, which shall be published shortly.