World Wide Web Consortium Issues XML Encryption and Decryption Transform as W3C Recommendations

Author(s) and publish date


Combined with XML Signature, XML Encryption and Decryption Transform Deliver Secure XML Documents

Testimonials -- 10 December 2002 -- The World Wide Web Consortium (W3C) has issued the XML Encryption Syntax and Processing specification and the Decryption Transform for XML Signature as W3C Recommendations, representing cross-industry agreement on an XML-based approach for securing XML data in a document.

A W3C Recommendation indicates thata specification is stable, contributes to Web interoperability, and has been reviewed by the W3C Membership, who favor its widespread adoption.

What is Encryption?

Encryption is the process of scrambling information such that it is only readable by intended recipients, after unscrambling. While an encrypted message or file may be accessible to a wide community, such as network intermediaries, it is not meaningful to those intermediaries, or to eavesdroppers who may be watching information packets travel across a network. Encrypted data has been rendered opaque by mathematically encrypting it in a way that makes it unreadable to anyone except those possessing the secret, or "key" to decrypt it.

What is XML Encryption, and Why Is It Needed?

When exchanging sensitive data (e.g., financial or personal information) over the Internet, senders and receivers require secure communications. Although there are deployed technologies that allow senders and receivers to secure a complete data object or communication session, only W3C XML Signature (together with the new W3C XML Encryption Recommendation) permits users to selectively sign and encrypt portions of XML data. For example, a user of a Web services protocol such as SOAP may want to encrypt the payload part of the XML message but not the information necessary to route the payload to its recipient. Or, an XForms application might require that the payment authorization be digitally signed, and the actual payment method, such as a credit card number, be encrypted. And, of course, XML Encryption can be used to secure complete data objects as well such as such as an image or sound file.

The associated "Decryption Transform for XML Signature" Recommendation permits one to use encryption with XML Signature. One feature of XML Signature is to ensure a document's integrity: to detect if the document is altered. However, many applications require the ability to first sign an XML document and then encrypt parts of it, altering the document. The Decryption Transform lets the receiver know which portions of the document to decrypt, restoring the document to its unaltered state, before it can check the signature.

XML Encryption Already Implemented, with Broad Support from Industry Leaders and Cryptography Experts

Numerous applications and other specifications are already utilizing XML Encryption, as shown in the Implementation and Interoperability Report filed by the W3C XML Encryption Working Group. In particular, Web services specifications that need to secure their payloads will be utilizing this Recommendation. Many companies have stated support and plans to implement XML encryption.

XML Encryption was developed by the W3C XML Encryption Working Group, consisting of both individuals and the following W3C Members: Baltimore Technologies; BEA Systems; DataPower; IBM; Microsoft; Motorola; University of Siegen; Sun Microsystems; and VeriSign.

About the World Wide Web Consortium [W3C]

The W3C was created to lead the Web to its full potential by developing common protocols that promote its evolution and ensure its interoperability. It is an international industry consortium jointly run by the MIT Laboratory for Computer Science (MIT LCS) in the USA, the National Institute for Research in Computer Science and Control (INRIA) in France and Keio University in Japan. Services provided by the Consortium include: a repository of information about the World Wide Web for developers and users, and various prototype and sample applications to demonstrate use of new technology. To date, nearly 450 organizations are Members of the Consortium. For more information see


Contact Americas, Australia --
Janet Daly, <>, +1.617.253.5884 or +1.617.253.2613
Contact Europe --
Marie-Claire Forgue, <>, +33.492.38.75.94
Contact Asia --
Saeko Takeuchi <>, +81.466.49.1170

Testimonials for XML Encryption and Decryption Transform

In English:DataPower Technology | IBM | Phaos Technology Corporation | Microsoft Corporation | Sarvega, Inc. | webMethods, Inc. | XMLsec Inc. | XML Security Library

In French: XMLsec Inc.

DataPower Technology

As a W3C member, DataPower Technology is firmly committed to the development of XML standards and increased XML adoption. DataPower views XML Encryption as a key component of the underlying XML-Aware network infrastructure that will enable XML Web Services adoption. DataPower believes the element level-privacy delivered by XML Encryption detailed in this Recommendation will help the industry move beyond transport layer security towards true application security required for successful XML Web Services implementations. As such, DataPower is including full support for XML encryption in its XML-Aware networking devices.

-- Rich Salz, Chief Security Architect, DataPower


XML Encryption is a key foundation technology and a crucial component of the Web services security stack. Combining XML Encryption with XML Digital Signature provides customers with a strong, base security technology they can build upon and incorporate into their Web services applications. IBM is committed to the development of open security standards and is pleased that XML Encryption has been approved as a W3C Recommendation.

-- Kelvin Lawrence, Distinguished Engineer and CTO, Dynamic e-business Technology, IBM

Microsoft Corporation

Microsoft is pleased with the publication of XML Encryption as a W3C Recommendation. XML Encryption is a strong complement to the XML Signatures Recommendation released earlier this year, as well as other security-related specs under development, such as WS-Security. Microsoft is fully committed to driving and implementing interoperable standards for security on the Web and will support XML Encryption in the Microsoft .NET Framework.

-- David Treadwell, General Manager, .NET Developer Platform

Phaos Technology Corporation

Phaos Technology is very pleased to see the XML Encryption specification progress to the W3C Recommendation status. With the widespread use of XML in data exchange, the crucial data confidentiality capabilities provided by XML Encryption are highly welcome. We commend the W3C for its XML security efforts as they goes a long way towards facilitating the standardization of the security stack for Web Services, which should drive the adoption of Web Services. Phaos is pleased to announce its support for the new specifications. As part of our continuing commitment to open security standards, the Phaos XML Toolkit with full support for the standard is already shipping. Phaos has incorporated the W3C's XML Encryption and XML Signature as the core security technologies of our XML and Web Services security product lines.

-- Jiandong Guo, Senior Software Engineer, Phaos Technology Corporation

Sarvega, Inc.

XML Encryption is an important security component in large scale XML and Web Services deployments. Sarvega pleased to endorse XML Encryption as a W3C recommendation. As the leading provider of XML Switches - XML infrastructure products that accelerate, secure and route XML; we look forward to deploying it in our product offerings.

-- Girish Juneja, Vice President, Engineering, Sarvega, Inc.

webMethods, Inc.

Before companies feel safe deploying Web services throughout their entire organizations, the issue of security must be addressed. The W3C's XML Encryption standard is a critical part of providing Web services security, and webMethods is pleased to endorse this standard. Our customers are aggressively adopting Web services as a key component in their integration strategy, and we will support XML Encryption in the webMethods integration platform, helping provide customers with peace of mind as they deploy the next generation of integration."

-- Andy Astor, Vice-President for Enterprise Web Services, webMethods, Inc.

XMLsec Inc.

The Web has quickly become the primary means of communication among diverse organizations and individuals; efficient processing of data based on information analysis is paramount but so is the protection of private information within that data. Confidential data within a dataset must be encrypted, while leaving the non-confidential data intact; the W3C XML Encryption Recommendation fulfills this essential requirement. Security is critical for advancing the Web, but pre-XML security is not, in itself, sufficient for the task. Fortunately, XML Security is security designed for the Web: XML Encryption and XML Signature (released earlier this year) enable security to be tailored to the structure and semantics of both XML and non-XML data. XMLsec congratulates the W3C on the release of the XML Encryption Recommendation and on its excellent stewardship in the area of XML Security.

-- Ed Simon, President and CEO, XMLsec Inc.

XML Security Library

The W3C XML Encryption specification provides a simple and convenient way for protecting XML documents. Along with W3C's XML Digital Signature Recommendation it gives a basis for building the next generation of interoperable and secure Web services.

-- Aleksey Sanin, Author, XML Security Library

XMLsec Inc.

Le Web est rapidement devenu le moyen de communication principal parmi divers organismes et individus; le traitement efficace des données basé sur l'analyse de l'information est primordial, mais la protection de l' information privée qui en fait partie est aussi importante. Des données confidentielles dans un ensemble de données doivent être chiffrées, tout en laissant les données non-confidentielles intactes; la recommandation du W3C XML Encryption remplit cette condition essentielle. La sécurité est critique pour la progression du Web, mais la sécurité avant l'arrivée de XML n'était pas toujours suffisante à la tâche. Heureusement, la sécurité de XML est conçue pour le Web : XML Encryption et XML Signature (relâchée plus tôt cette année) permettent d'adapter les mesures de sécurité en fonction la structure et les sémantiques des données XML et des données non-XML. XMLsec félicite le W3C sur la diffusion de la recommandation du XML Encryption et sur son excellente gérance dans le domaine de la sécurité XML.

-- Ed Simon, Président et CEO, XMLsec Inc.

Related RSS feed