The World Wide Web Consortium (W3C) has issued the XML Encryption Syntax and Processing specification and the Decryption Transform for XML Signature as W3C Recommendations, representing cross-industry agreement on an XML-based approach for securing XML data in a document. When exchanging sensitive data (e.g., financial or personal information) over the Internet, senders and receivers require secure communications. Although there are deployed technologies that allow senders and receivers to secure a complete data object or communication session, only W3C XML Signature (together with the new W3C XML Encryption Recommendation) permits users to selectively sign and encrypt portions of XML data. For example, a user of a Web services protocol such as SOAP may want to encrypt the payload part of the XML message but not the information necessary to route the payload to its recipient. Or, an XForms application might require that the payment authorization being digitally signed, and the actual payment method, such as a credit card number, be encrypted. And, of course, XML Encryption can be used to secure complete data objects as well such as such as an image or sound file. The associated “Decryption Transform for XML Signature” Recommendation permits one to use encryption with XML Signature. One feature of XML Signature is to ensure a document’s integrity: to detect if the document is altered. However, many applications require the ability to first sign an XML document and then encrypt parts of it, altering the document. The Decryption Transform lets the receiver know which portions of the document to decrypt, restoring the document to its unaltered state, before it can check the signature. XML Encryption was developed by the W3C XML Encryption Working Group, consisting of both individuals and the following W3C Members: Baltimore Technologies; BEA Systems; DataPower; IBM; Microsoft; Motorola; University of Siegen; Sun Microsystems; and VeriSign. www.w3.org

Share