Misconception: XML Digital Signatures is too hard to implement

Another misconception that has been around for a while is one that XML Digital Signatures and XML Canonicalization are notoriously difficult to implement correctly. This misconception seems to stem from issues that emerged in Java prior to version 1.4.1, which, like all software, had a few bugs in it. Fortunately, issues with XML canonicalization were resolved.

In the case of widgets, there are now interoperable implementations of the Widgets XML Digital Signature specification. Although there is limited W3C Widget-based content out in the wild that make use of digital signatures, none of the implementers have reported interoperability issues thus far. So, this claim remains unfounded and those that spread it have been unable and unwilling to provide any tests that prove there is an issue.

It should be said that cryptography is hard irrespective of XML Digital Signatures. Very few individuals on this planet actually understand the tools, let alone the mathematics, and other things that make such systems secure. It is my belief that no matter what signature system would have been chosen for widgets, it would have still been hard for most developers to understand. I hold that our choice of XML Digital Signatures is OK (i.e., not great, maybe there is something better?) for the common cases for which widgets are used.

Other posts in this series:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Before you comment here, note that this forum is moderated and your IP address is sent to Akismet, the plugin we use to mitigate spam comments.