Re: How much XML Signature is mature?

Gino,

Of all the XML Security standards, XML DSIG is the oldest; it is
also the cornerstone of almost all the others (e.g., WS-Security,
signed SAML assertions, etc.)

XML DSIG is being used in the real world for real financial
transactions.  For example RouteOne is doing online auto loan
applications for some of the world's biggest auto manufacturers,
and using XML DSIG to make binding commitments between lendor
and customer.  Their web site is http://www.routeone.com,
although the site doesn't show that they're actually in
production and they are; more details are available at
http://www.datapower.com/newsroom/cs_routeone.html.

Many vendors have XML DSIG libraries, and there are some open
source packages in (at least) C and Java.  These libraries don't
free the application program of all the details -- securing keys,
for example, is often a big concern.  Several companies (mine
included; see URLs below) have network devices that add XML security
features as either a true network device, or a set of software running
as a software proxy.

> What's your opinion about such issues? What's new in six months?

XML DSIG, as supported by WS-Security (i.e., signing SOAP messages)
is the way to go.  There are still security issues (implementation,
implications of canonicalization, etc.) that will need some analysis
on your side.  In six months, toolkits will be widespread, companies
like mine will be more popular, and WS-I will have a draft profile
that offers solid interop guidance on WS-Security and XML DSIG.
Also, in the greater Boston area it will be cloudy with a chance
of rain and temperatures around 68 Fahrenheit. :)

Hope this helps.
        /r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

Received on Friday, 17 October 2003 22:26:53 UTC