Understanding XML Signatures

XML signatures are digital signatures designed for use in XML transactions. The standard defines a schema for capturing the result of a digital signature operation applied to arbitrary data. Like non-XML-aware digital signatures Public Key Cryptography Standards (PKCS), XML signatures add authentication, data integrity, and support for non-repudiation to the data that they sign. However, unlike non-XML DS standards, XML signature has been designed to both account for and take advantage of the Internet and XML. Signature
validation requires that the data object that was signed be accessible. XML signature itself will generally indicate the location of the original signed object. This reference can

• Be referenced by a URL within the XML signature
• Reside within the same resource as the XML signature
• Embedded within the XML signature
• Have its XML signature embedded within itself

The features that make XML so powerful for business transactions (e.g., semantically rich and structured data, text-based, and Web-ready nature) provide both challenges and opportunities for the application of encryption and digital signature operations to XML-encoded data. For example, in many workflow scenarios where an XML document flows stepwise between participants, and where a digital signature implies some sort of commitment or assertion, each participant may wish to sign only that portion for which they are responsible and assume a concomitant level of liability. Older standards for digital signatures provide neither syntax for capturing this sort of high-granularity signature nor mechanisms for expressing which portion a principal wishes to sign.

XML signatures in future development

Multiple signatures consist of signing a message by multiple participants. As such, XML signature is a viable option than any other security technologies because these technologies in common deployment are insufficient for securing business transactions on the Web. Most existing browser-based security mechanisms, generally adequate for low-value business-to-consumer transactions, do not provide the enhanced security or flexibility required for protecting high-value commercial transactions, and the sensitive data exchanges that comprise them. This gives us the confidence that XML will be very important to the future of web in case of all data manipulation and data transmission. Some may argue that XML security is fundamentally broken but this is my opinion. No doubt, you may have your own.