- From: Janet Daly <janet@w3.org>
- Date: Thu, 14 Feb 2002 07:03:20 -0800
- To: w3t-pr@w3.org, w3c-news@w3.org
World Wide Web Consortium Issues XML Signature as a W3C Recommendation
Joint work with IETF produces XML-based solution for digital signatures,
foundation for Secure Web services
Contacts:
North America --
Janet Daly, <janet@w3.org>, +1.617.253.5884
Europe --
Marie-Claire Forgue, <mcf@w3.org>, +33.492.38.75.94
Asia --
Saeko Takeuchi <saeko@w3.org>, +81.466.49.1170
Web Resources:
News Release
http://www.w3.org/2002/02/xmlsignature-pressrelease
Testimonials from Baltimore Technologies, Capslock, IBM,
Lexign, Microsoft, Phaos Technology Corp., PureEdge
Solutions Inc., University of Siegen, Sterling Commerce,
Sun Microsystems, Vordel, and XMLsec Inc.:
http://www.w3.org/2002/02/xmlsignature-testimonial
W3C XML Signature Recommendation
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
_________________________________________________________________
http://www.w3.org/ -- 14 February 2002 -- The World Wide Web Consortium
(W3C) has issued XML-Signature Syntax and Processing (XML Signature) as
a W3C Recommendation, representing cross-industry agreement on an
XML-based language for digital signatures. A W3C Recommendation
indicates that a specification is stable, contributes to Web
interoperability, and has been reviewed by the W3C Membership, who favor
its widespread adoption.
"XML Signature is a critical foundation on top of which we will be able
to built more secure Web services," explained Tim Berners-Lee, W3C
Director. "By offering basic data integrity and authentication tools,
XML Signature provides new power for applications that enable trusted
transactions of all sorts."
Digital Signatures are Essential to Web Services
Digital signatures are created and verified using cryptography, the
branch of applied mathematics concerned with transforming messages into
seemingly unintelligible forms and then back again. Digital signatures
are created by performing an operation on information such that others
can confirm both the identity of the signer, and the fidelity of the
information. This capability is important to a growing number of XML
protocol, publishing and commerce applications.
XML Signature Combines Data Integrity with Extensibility
While there are technologies one can use to sign an XML file, XML
Signature brings two additional benefits.
First, XML Signature can be implemented with and use many of the same
toolkits one is using for XML applications. In this way, no additional
software is required.
Second, XML Signature can process XML as XML instead of a single large
document. This means multiple users may apply signatures to sections of
XML, not simply the whole document.
As more commercial applications are used to send XML documents through a
series of intermediaries, the ability to sign sections of a document
without invalidating other portions is invaluable, whether for invoices,
orders, or applications.
For example, one may independently sign an XML payload from the XML
envelope that carries it for a short period. As a result, when you
remove, add or change the protocol envelope the signature on the payload
itself is still valid.
Similarly, XML Signature provides flexibility when a signed XML form is
delivered to a user. If the signature were over the full XML form, any
change by the user to the default form values would invalidate the
original signature. XML Signature permits both the original form and
user's entries to be independently signed without invalidating the
other.
And of course, while XML Signature is tailored to XML processing, it can
be used to sign any data, such as a PNG image.
XML Signature Supports XML Encryption and Key Management
XML Signature serves as the foundation for other ongoing W3C work
including XML Encryption, which provides a mechanism to secure parts of
XML documents, and XML Key Management, which provides a simple protocol
for lightweight XML applications to obtain the key necessary for
signature and encryption.
IETF/W3C Brings Together Industry Experts; Public Review
The XML Signature Working Group is the first joint W3C/IETF Working
Group, and is the first W3C technical Working Group to operate entirely
as a public group. This provided independent developers with a clear
window on the XML Signature work in all stages of development, and
brought a wide range of implementation experience. XML Signature already
enjoys significant support and deployment, as highlighted in the
testimonials.
Participants in the joint IETF/W3C Working Group included
representatives from organizations whose lead research and commercial
work in the area of digital signatures and security, including Accelio,
Baltimore, Capslock, Citigroup, Corsec, Georgia State University, IAIK
TU Graz, IBM, Microsoft, Motorola, Pure Edge, Reuters Health, Signio,
Sun Microsystems, University of Siegen, University of Waterloo, VeriSign
Inc., and XMLsec.
Testimonials
Baltimore has aggressively pushed the adoption of open standards and
interoperability since its inception. XML is proving to be a critical
enabling technology for the widespread adoption of digital security, and
XML Signatures are a fundamental component of these security
technologies. We are pleased to have played an active role in shaping
the XML Signature standard, and look forward to deploying it as a core
technology in our product offerings.
-- Merlin Hughes, Chief Technical Evangelist, Baltimore Technologies
Capslock is very pleased to see the XML-Signature Syntax become
officially approved and we are honored to have participated in the
successful process. XML-Signature allows interoperability and economical
broad-scale deployment of digital signatures in applications involving
business critical information, transactions and operational workflows.
Now, demands set forth by the actualoperational processes and
information structures can efficiently be answered by the technology,
for instance, by providing means for multiple signatures, as is often
required in applications. Implemented in the Ubisecure Signature
component, XML-Signature will be distributed as a standard part of
solutions and products provided by Capslock and our Partners.
-- Charles Sederholm, CEO, Capslock, Inc.
IBM applauds the cooperative effort between the IETF and the W3C that
led to the development XML Digital Signature. Open industry standards in
the security area are a top priority for our customers as we advance the
standardization program for Web services in 2002. XML Signature is a
critical foundational technology for the security work yet to come.
-- Robert S. Sutor, IBM Director of e-business Standards Strategy
Lexign endorses the XML Signature specification and is pleased to see it
approved as a W3C Recommendation. Lexign considers XML Signature to be
an essential part of its Web solution architecture. XML Signature allows
Lexign to extend the XML technology from the Forms, Workflow and Storage
components of its Suite to its digital signature and security
components, resulting in an open and extensible solution.
-- Tamir Orbach, CTO, Lexign
The release of XML Signature as a W3C Recommendation represents an
important stage in the development of secure XML Web services. By
using XML D-Sig, developers now have a mechanism for ensuring the
integrity of messages they send over unsecured networks. The W3C's
current work on XML Encryption will soon enable confidentiality, too.
Microsoft has been a strong supporter of these initiatives and is
pleased to announce that XML Signatures are a feature of Visual
Studio.NET and the .NET Framework.
-- Robert Wahbe, General Manager, XML Web services
Phaos Technology is excited to see the XML Signature 1.0 specification
progress to W3C Recommendation status. XML-DSIG lays a solid foundation
for XML security, upon which other important standards like XML
Encryption and XML Key Management are being built. With the widespread
use of XML in data communication, the crucial data
integrity capabilities provided by XML-DSIG are highly welcome. As a
leading provider of Java security software, Phaos is pleased to announce
its support for these strong new specifications with the introduction of
the Phaos XML Toolkit. As part of our continuing commitment to open
security standards, the Phaos XML Toolkit allows Java developers to
quickly and easily incorporate XML signatures and encryption into their
applications across a wide range of platforms and environments.
-- Ari Kermaier, Senior Software Engineer, Phaos Technology Corp.
PureEdge Solutions is very pleased that XML Signature has become a W3C
Recommendation. The collaborative and disciplined W3C process has
brought together the industry's best, resulting in a specification that
has the expressive power to handle the most demanding application
scenarios that we have encountered since first applying digital
signatues to XFDL in early 1998. We are honored to have participated in
co-authoring this specification, we are privileged to have worked with
the many dedicated professionals in the working group, and we look
forward to incorporating a best-of-breed implementation of XML Signature
into our XFDL-based Internet Commerce System product line.
-- John Boyer, Ph.D., Senior Product Architect, PureEdge Solutions
Inc.
The W3C XML Signature recommendation is a basic building block for
bringing trust and confidence to a wide range of new applications. The
abilities of using multiple signatures in workflow applications or
signing specific parts of structured documents will revolutionize the
way on how we use digital signatures. Embedding a signature into a
document brings us very close to the way we handle handwritten
signatures today. We hope that donating our open-source XML
Signature implementation to the XML Apache project will help to
wide-spread this emerging and important technology and be a trigger for
more academic research in the field of XML related security
technologies.
-- Christian Geuer-Pollmann, Committer to the XML Apache Project,
Institute for Data Communications Systems, University of Siegen
Strong security must be in place before the Internet promise of
inexpensive and pervasive B2B integration can be realized. Compromise in
the area of security has potentially serious legal, image and client
relationship implications - prospects our customers are well aware of
and concerned about. While numerous advances are occurring in the area
of Internet B2B Integration, advances in security have lagged behind.
XML payloads and Web Services architectures introduce additional
security challenges. The W3C XML Signature specification ensures the
integrity of information exchanged over the Internet in a standardized
manner to ensure interoperability. Sterling Commerce supports XML
Signature as vital in the protection of XML payloads in the next
generation Web Services integration scenarios. Our STERLING:Integrator
solution leverages XML Signature to provide both secure application and
Web Services oriented B2B integration.
-- Brian Gibb, Director, Standards & Applied Technology, Sterling
Commerce
Sun Microsystems strongly supports the publication of XML-Signature
Syntax and processing as a W3C Recommendation. Through the Java
Community Process, we are actively working with the Java(TM) Community
to define a standard high-level Java API for generating and validating
XML Signatures based on the W3C specification. We expect that the Java
XML Signature APIs will be an important building block for creating
secure web services.
-- Sean Mullan, Co-specification lead of JSR 105 (Java XML Digital
Signature API), and Raghavan Srinivas, Software Engineer; Sun
Microsystems
The advent of Web Services presents a need for a whole new type of
security. This sits at a higher level than firewalls or SSL - because
security applications for Web Services must be capable of "dipping into"
the stream of data which is passing through the web ports and checking
it against a list of security rules.The XML signature is an important
technology both in itself and as a vital enabler for this new
"intelligent" way of addressing security requirements.
-- Mark O'Neill, CTO at Web services security firm, Vordel
The XML Signature Recommendation is a break-through in Web security
technology. With its unique capabilities such as covering multiple
resources in one signature and being able to selectively include or
exclude what parts of documents are signed, XML Signature exemplifies
the incredible synergy of bringing XML and security together. HTML and
XML created a revolution in the usability and capability of the
Internet; now we are doing the same in the realm of security. XMLsec
Inc. applauds the W3C for the fine leadership it has shown in the area
of Web security including the latest initiatives in XML Encryption, XML
Key Management Services, and secure SOAP. 'XML Security is security
designed for the Web' and so XMLsec will continue to work with the W3C
to ensure trust and confidence in the Web.
-- Ed Simon, President and CEO, XMLsec Inc.
_________________________________________________________________
En Français:
La recommandation de XML Signature est un grand avancement en
technologie de sécurité de Web. Avec ses capacités uniques telles que
couvrir les ressources multiples dans une signature seule et pouvoir
sélectivement inclure ou exclure quelles parties de documents sont
signées, la XML Signature exemplifie la synergie incroyable de réunir
XML et sécurité. Le HTML et le XML ont créé une révolution dans la
accessibilité et la capacité de l'Internet; maintenant nous faisons
la même chose dans la zone de la sécurité. XMLsec Inc. applaudit le W3C
pour la conduite fine qu'il a montrée dans le domaine de la sécurité de
Web comprenant les dernières initiatives dans le chiffrement de XML (XML
Encryption), les services de gestion des clés de XML (XML Key Management
Services), et le SOAP sûr. La sécurité de XML est sécurité dessinée pour
le Web et ainsi XMLsec continuera à travailler avec le W3C pour assurer
la confiance en Web.
-- Ed Simon, President and CEO, XMLsec Inc.
About the World Wide Web Consortium [W3C]
The W3C was created to lead the Web to its full potential by developing
common protocols that promote its evolution and ensure its
interoperability. It is an international industry consortium jointly run
by the MIT Laboratory for Computer Science (MIT LCS) in the USA, the
National Institute for Research in Computer Science and Control (INRIA)
in France and Keio University in Japan. Services provided by the
Consortium include: a repository of information about the World Wide Web
for developers and users, and various prototype and sample applications
to demonstrate use of new technology. To date, over
500 organizations are Members of the Consortium. For more information
see http://www.w3.org/
###
Received on Thursday, 14 February 2002 10:03:17 UTC