Because XML is proliferating applications both on the Internet and the workstation, there are many initiatives under way to apply security technologies to XML data. This week I'll begin with a look at XML Signature.
Some time ago, the W3C recognized the need to provide a mechanism to control or manage the data that is passed and presented in XML transactions. The primary requirements for data in transit are completeness and accuracy (integrity). XML Signature is shaping up to be the simplest way to guarantee these objectives.
XML Signature defines the syntax required to sign all or part of an XML instance. XML, with its extensive capabilities, extreme flexibility, and whitespace rules, doesn't lend itself well to the needs of digital signatures, where a misplaced space results in a completely different fingerprint that is unverifiable. To address these issues, the use of canonicalization has been introduced. Defined in a W3C document called Canonical XML, canonicalization follows a set of processing rules to structure an instance of XML into its simplest form. The goal is to ensure that instances are structured the same way every time, ensuring that digital signatures won't be confused due to stylistic differences such as misplaced spaces.
The core generation process of signing an XML instance begins with canonicalization to simplify the data contents. The rest of the signing process is similar to the typical digital signature process. The digest value, or fingerprint, of the data contents is created using a digest method. This digest value is then signed with an entity's private key.
For signature verification, XML Signature provides for a core validation process with two steps. First, the signature is validated to ensure the authentication and non-repudiation of the person or process that signed the data. Second, the digest value is verified to ensure that the data hasn't changed, thus confirming content integrity.
XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere.
Next week I'll look at the structure of an XML signature.