News Release: World Wide Web Consortium Issues XML Encryption and Decryption Transform as W3C Recommendations

Today, W3C issues two Recommendations that, along with XML Signature, 
ensure the development of secure XML transactions, and provide the 
foundation for secure Web services applications. For more information, 
please contact the W3C Communications person in your region, or call me, 
Janet Daly, at +1 617 253 5884 <>


World Wide Web Consortium Issues XML Encryption and Decryption Transform
as W3C Recommendations

Combined with XML Signature, XML Encryption and Decryption Transform
Deliver Secure XML Documents

This document is on the Web at:

Testimonials from DataPower Technology; IBM; Phaos Technology 
Corporation; Microsoft Corporation; Sarvega, Inc.; webMethods, Inc.; 
XMLsec Inc.; and XML Security Library are also available at: -- 10 December 2002 -- The World Wide Web Consortium
(W3C) has issued the XML Encryption Syntax and Processing specification
and the Decryption Transform for XML Signature as W3C Recommendations,
representing cross-industry agreement on an XML-based approach for
securing XML data in a document.

A W3C Recommendation indicates that a specification is stable,
contributes to Web interoperability, and has been reviewed by the W3C
Membership, who favor its widespread adoption.

What is Encryption?

Encryption is the process of scrambling information such that it is only
readable by intended recipients, after unscrambling. While an encrypted
message or file may be accessible to a wide community, such as network
intermediaries, it is not meaningful to those intermediaries, or to
eavesdroppers who may be watching information packets travel across a
network. Encrypted data has been rendered opaque by mathematically
encrypting it in a way that makes it unreadable to anyone except those
possessing the secret, or "key" to decrypt it.

What is XML Encryption, and Why Is It Needed?

When exchanging sensitive data (e.g., financial or personal information)
over the Internet, senders and receivers require secure communications.
Although there are deployed technologies that allow senders and
receivers to secure a complete data object or communication session,
only W3C XML Signature (together with the new W3C XML Encryption
Recommendation) permits users to selectively sign and encrypt portions
of XML data. For example, a user of a Web services protocol such as SOAP
may want to encrypt the payload part of the XML message but not the
information necessary to route the payload to its recipient. Or, an
XForms application might require that the payment authorization being
digitally signed, and the actual payment method, such as a credit card
number, be encrypted. And, of course, XML Encryption can be used to
secure complete data objects as well such as such as an image or sound file.

The associated "Decryption Transform for XML Signature" Recommendation
permits one to use encryption with XML Signature. One feature of XML
Signature is to ensure a document's integrity: to detect if the document
is altered. However, many applications require the ability to first sign
an XML document and then encrypt parts of it, altering the document. The
Decryption Transform lets the receiver know which portions of the
document to decrypt, restoring the document to its unaltered state,
before it can check the signature.

XML Encryption Already Implemented, with Broad Support from Industry
Leaders and Cryptography Experts

Numerous applications and other specifications are already utilizing XML
Encryption, as shown in the Implementation and Interoperability Report
filed by the W3C XML Encryption Working Group. In particular, Web
services specifications that need to secure their payloads will be
utilizing this Recommendation. Many companies have stated support and
plans to implement XML encryption.

XML Encryption was developed by the W3C XML Encryption Working Group,
consisting of both individuals and the following W3C Members: Baltimore
Technologies; BEA Systems; DataPower; IBM; Microsoft; Motorola;
University of Siegen; Sun Microsystems; and VeriSign.

Testimonials for XML Encryption and Decryption Transform
These testimonials are in support of the W3C XML Encryption and Decrypt 
Transform Recommendations.

In English:DataPower Technology | IBM | Phaos Technology Corporation | 
Microsoft Corporation | Sarvega, Inc. | webMethods, Inc. | XMLsec Inc. | 
XML Security Library

In French: XMLsec Inc.

As a W3C member, DataPower Technology is firmly committed to the 
development of XML standards and increased XML adoption. DataPower views 
XML Encryption as a key component of the underlying XML-Aware network 
infrastructure that will enable XML Web Services adoption. DataPower 
believes the element level-privacy delivered by XML Encryption detailed 
in this Recommendation will help the industry move beyond transport 
layer security towards true application security required for successful 
XML Web Services implementations. As such, DataPower is including full 
support for XML encryption in its XML-Aware networking devices.

-- Rich Salz, Chief Security Architect, DataPower

XML Encryption is a key foundation technology and a crucial component of 
the Web services security stack. Combining XML Encryption with XML 
Digital Signature provides customers with a strong, base security 
technology they can build upon and incorporate into their Web services 
applications. IBM is committed to the development of open security 
standards and is pleased that XML Encryption has been approved as a W3C 

-- Kelvin Lawrence, Distinguished Engineer and CTO, Dynamic e-business 
Technology, IBM

Microsoft is pleased with the publication of XML Encryption as a W3C 
Recommendation. XML Encryption is a strong complement to the XML 
Signatures Recommendation released earlier this year, as well as other 
security-related specs under development, such as WS-Security. Microsoft 
is fully committed to driving and implementing interoperable standards 
for security on the Web and will support XML Encryption in the Microsoft 
.NET Framework.

-- David Treadwell, General Manager, .NET Developer Platform

Phaos Technology is very pleased to see the XML Encryption specification 
progress to the W3C Recommendation status. With the widespread use of 
XML in data exchange, the crucial data confidentiality capabilities 
provided by XML Encryption are highly welcome. We commend the W3C for 
its XML security efforts as they goes a long way towards facilitating 
the standardization of the security stack for Web Services, which should 
drive the adoption of Web Services. Phaos is pleased to announce its 
support for the new specifications. As part of our continuing commitment 
to open security standards, the Phaos XML Toolkit with full support for 
the standard is already shipping. Phaos has incorporated the W3C's XML 
Encryption and XML Signature as the core security technologies of our 
XML and Web Services security product lines.

-- Jiandong Guo, Senior Software Engineer, Phaos Technology Corporation

XML Encryption is an important security component in large scale XML and 
Web Services deployments. Sarvega pleased to endorse XML Encryption as a 
W3C recommendation. As the leading provider of XML Switches - XML 
infrastructure products that accelerate, secure and route XML; we look 
forward to deploying it in our product offerings.

-- Girish Juneja, Vice President, Engineering, Sarvega, Inc.

Before companies feel safe deploying Web services throughout their 
entire organizations, the issue of security must be addressed. The W3C's 
XML Encryption standard is a critical part of providing Web services 
security, and webMethods is pleased to endorse this standard. Our 
customers are aggressively adopting Web services as a key component in 
their integration strategy, and we will support XML Encryption in the 
webMethods integration platform, helping provide customers with peace of 
mind as they deploy the next generation of integration."

-- Andy Astor, Vice-President for Enterprise Web Services, webMethods, Inc.

The Web has quickly become the primary means of communication among 
diverse organizations and individuals; efficient processing of data 
based on information analysis is paramount but so is the protection of 
private information within that data. Confidential data within a dataset 
must be encrypted, while leaving the non-confidential data intact; the 
W3C XML Encryption Recommendation fulfills this essential requirement. 
Security is critical for advancing the Web, but pre-XML security is not, 
in itself, sufficient for the task. Fortunately, XML Security is 
security designed for the Web: XML Encryption and XML Signature 
(released earlier this year) enable security to be tailored to the 
structure and semantics of both XML and non-XML data. XMLsec 
congratulates the W3C on the release of the XML Encryption 
Recommendation and on its excellent stewardship in the area of XML Security.

-- Ed Simon, President and CEO, XMLsec Inc.

The W3C XML Encryption specification provides a simple and convenient 
way for protecting XML documents. Along with W3C's XML Digital Signature 
Recommendation it gives a basis for building the next generation of 
interoperable and secure Web services.

-- Aleksey Sanin, Author, XML Security Library

Le Web est rapidement devenu le moyen de communication principal parmi 
divers organismes et individus; le traitement efficace des données basé 
sur l'analyse de l'information est primordial, mais la protection de l' 
information privée qui en fait partie est aussi importante. Des données 
confidentielles dans un ensemble de données doivent être chiffrées, tout 
en laissant les données non-confidentielles intactes; la recommandation 
du W3C XML Encryption remplit cette condition essentielle. La sécurité 
est critique pour la progression du Web, mais la sécurité avant 
l'arrivée de XML n'était pas toujours suffisante à la tâche. 
Heureusement, la sécurité de XML est conçue pour le Web : XML Encryption 
et XML Signature (relâchée plus tôt cette année) permettent d'adapter 
les mesures de sécurité en fonction la structure et les sémantiques des 
données XML et des données non-XML. XMLsec félicite le W3C sur la 
diffusion de la recommandation du XML Encryption et sur son excellente 
gérance dans le domaine de la sécurité XML.

-- Ed Simon, Président et CEO, XMLsec Inc.

Contact Americas, Australia --
	Janet Daly, <>, +1.617.253.5884 or +1.617.253.2613
Contact Europe --
	Marie-Claire Forgue, <>, +33.492.38.75.94
Contact Asia --
	Saeko Takeuchi <>, +81.466.49.1170

About the World Wide Web Consortium [W3C]

The W3C was created to lead the Web to its full potential by developing
common protocols that promote its evolution and ensure its
interoperability. It is an international industry consortium jointly run
by the MIT Laboratory for Computer Science (MIT LCS) in the USA, the
National Institute for Research in Computer Science and Control (INRIA)
in France and Keio University in Japan. Services provided by the
Consortium include: a repository of information about the World Wide Web
for developers and users, and various prototype and sample applications
to demonstrate use of new technology. To date, nearly 450 organizations
are Members of the Consortium. For more information see

Received on Tuesday, 10 December 2002 10:09:57 UTC