Slashdot Mirror
W3C Recommends XML Signature Syntax
__past__ writes: "The W3C released a recommendation on XML Signature Syntax and Processing. The interesting point is not only that this is quite an important step for secure XML processing (esp. with regarding to web services), but also because there are some possibly ugly patent issues."
Patents really have shifted from implementation to idea in the software world, it seems.
And doesn't the W3C accept RAND licensed patents now a W3C endorsed standards? (I can't recall if that went through or not.)
"Old man yells at systemd"
but I don't see how the W3C should have any jurisdiction over it. They are a Web standards body and they should leave satellite radio alone.
Ignore the problem and it goes away!
Got friends?
Yet another dull-as-dish recommendation from the W3C, not even a reference implementation to play with.
Ever since they have gone XML-with-everything they have produced ineffectual standards that are not followed by anybody as they are a pain in the ass to implement. It is no wonder that M$ and Sun prefer to create de facto standards instead of waiting for these guys to actually do anything. The killer app is the way to create standards and it's been a dozen years since we've seen one from the W3.
The W3C should eather get unrestricted free rights the XML Signature or find a new way of doing it. "Most patents are just logical extensions of existing ideas wrapped in legaleze to sound different"
Shaun
The w3c recoomending XML? This is the most shocking thing since Skate Gate
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
Actually, I'd give this a +0.5 funny and a +0.5 obscure, but it totals to +1 both ways.
Besides, my rating system is just a figment of my imagination, right?
-- MarkusQ
What I am nervous about is that with the advance towards the more sophisticated technologies, the earlier simpler technologies will be "obsoleted". This may have implications for the democracy of the web slowing going away because only experts can do what used to be an everyman task.
"It is a greater offense to steal men's labor, than their clothes"
If you want more information about XML Signature, just check this article
http://www.xml.com/pub/a/2001/08/08/xmldsig.html
So, as I understand it, a working group (WG) member creates a standard and then says, "Oh, hey, great standard guys, but now you're all going to have to pay me for it".
Is this not a conflict of interest? Should the WG member be immediately voted off? Perhaps they should be tarred and feathered, run out of town on a rail?
I prefer the latter approach, it may reduce the number of bogus patent claims.
Alan.
TBJ, thank you for the warm welcome, and I hope I can live up to the standards presented by you.
As for goatse, I'm saddened to hear the site's gone. It was an informative site, and the pictures reinforced my want not to be a photographer.
So, you release a standard that has a number of patent questions surrounding it...hmmmm, let's see how many people jump at the opportunity to adopt something for which they could be sued or made to pay unknown license fees....
Another thought: Can I patent the idea of patentable standards? Sounds like a business model to me...
"What we have here, is a failure to communicate." - Cool Hand Luke
Many XML advocates try to kill 3 birds with one stone:
Personally I wish that if there had to be one standard syntax for human-readable data representation & code it was at least something sensible like LISP - at least then I can do paren-matching in my text editor. As for markup, SGML does have many advantages (the only disadvantage from XML is its alleged complexity), and as for storage, you can use actual databases to put our data in (you can argue the toss about RDBMS vs ORDBMS/XMLDBMS, though I think traditional RDBMS are fine really).
Really though I hope people will learn to use lex/Yacc and choose a syntax or structure most appropriate for their needs. I have seen many a programming team replace a syntax that works with XML syntax because it is seen to be more modern. To me this is throwing out the baby with the bathwater.
Even I can do it.
--
DNA is the ultimate spaghetti code.
XML Signatures can be applied to any digital content (data object), including XML.
Surprise !
A useful framework for some types of data it may be (specifically, markup data), but I feel that XML is too often used outside the scope of its main strengths. Specifically, object serialisation, transmission and other such protocols are handled more elegantly by ASN.1, Java serialisation (which can just as easily become a standard for other languages) or just rolling your own, program semantics by LISP syntax etc.
Far too often W3 encourage the blinkered approach that XML is the only way to express things. Stuffing base64-encoded strings into markup tags to be parsed at the other end is just not convenient and I think it can be done better.
Those who say that XML is simple are IMO not correct. XML can be veru complex, you cannot just make up new tags - they have semantic value in respect to a given target. This means that you have to have a target application that understands your XML, not much simplicity there. XML is not a language, it's a syntax. The syntax is easy, agreed, but implementations may have any complexity level.
XHTML is an XML schema. It's HTML that's valid XML, ie. it conforms to the XHTML DTD/Schema. For most it suffices that it's well-formed XML and as such can be parsed into a DOM tree by any XML parser.
Unable to read configuration file '/bigassraid/htdig//conf/14229.conf'
Geocrawler error message.
Why indeed would the W3C produce a reference - but that's not what he said. He simply said "there was no reference implementation" by ANYONE (or at least that was the impression I got).
When the XML standard was being hammered out, there were a number of refence implemnetations. What he's complaiing about (and I agree with) is standards developed out of thin air, without any kind of reference to help give the thing solid footing. A lot of ideas sound great on paper but need to be tweaked to make implementations practical AND USABLE. I'm not sure I've seen a single standard I liked that did not have a reference implementation developed along with the standard.
That said, I've not looked at the spec itself (yet) so it might be great for all I know.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The web browser was the W3's (or, as it was, CERN's) big killer app. In the good old days they used to actually make things to prove that their standards would lead to useful technology. Do you really believe that the W3 should solely chair committee meetings and never get their hands dirty? Can good technology be designed in a vacuum? There is no seperate world of "standards bodies" here and "software houses" there - the most successful way to create a standard is to lead by example, and release a reference implementation. Presumably the W3 must have a prototype implementation somewhere; if they released it, more people might take their standards seriously. As it stands, a standard with no implementation can only be evaluated on by speculating about its theoretical merits - which is a risky strategy.
I would hope that the community and the possible "patent holders" allow for this to go forward. There really is a need for such a technology the XML/Web Services space.
Having the ability to sign a document, or even a fragment of a document, allows for customers to "trust" that document and its contents. Sure https/ssl is a good way to "secure" the data during transit. But how can you be sure (currently) that the document I am sending you contains the proper information?
Think of this in a b2b ecommerce setup. I can send you my pricing sheets, in xml format, you can be sure that they are really the proper pricing, and can be assured of the "current" availablity. In the same XML document, I can include reviews and any other pertanant infromation about a given product. Digitally signed and verified from a trusted third party source. My customers are now not worried that I am trying to push a product line by falsifing results, and I am providing them with content for there catalogs...
To me, if it makes it through any "patent problems" this could be a very good thing ;)
-ryanIn the good old days, XML was simple but this is no longer the case as the W3C has created more and more complex standards that seem to require a P.hD to understand.
- Want to specify a structure for your XML? XML Schemas
- Want to query XML? XQuery
- Want to transform XML to some other format? XSLT
- Want to use XML as a transfer format for RPC calls? SOAP.
- Want to create links between XML documents? XPointer, XLink, and XML:Base are all needed.
- Want to include XML files in each other? XInclude
Many of the above standards are rather complex and difficult for most people to understand completely. This is besides the stuff one has to understand about XML infoset and XML namespaces to fully understand how to use XML properly.DISCLAIMER: The opinions in the above post are MINE ALONE and do not reflect the opinions, intentions or strategies of my employer.
Any concept sounds simple at first; for example, football (in England) is about "kicking a ball into a net". Similarly, putting "straight text in tags" seems straightforward at first but the complexity comes from the process required to implement a system around XML. Firstly, you need an XML parser - which is surprisingly non-trivial to write as there are many rules. Secondly, if you need to encode binary data, you have to use MIME or similar. Next, you need to write objects to receive XML data from the parser, as data cannot be read directly from the XML document itself (e.g. you have entities). XML-based programs, in my experience, tend to be unnecessarily unwieldy as XML is poor for representing data structure and does need parsing/serialisation to be used. For these reasons, a binary tag/length/data random access format will always win out eventually in terms of simplicity.
"The Digital Handshake Server Suite is iLumin's patent-pending, end-to-end, enforceable online transaction technology.... The Digital Handshake technology employs digital signatures, XML and Web-enabled applications to create the first end-to-end, fully automated and legally binding business closure process." Guess since they are patenting it there won't be a second one.
I think we know what a W3C reference implementation looks like.
any available yet?
Everything Solaris recently posted a slew of articles, showing that the Solaris community is alive and well. Featuring Open Source software, articles like "Providing Core Customer Services" discuss how to set up that new infrastructure with both Open Source and high-availability in mind. Other interesting articles include, "Replacing Sendmail with Postfix" and "Upgrading to ProFTPD."
This thread has carried some interesting questions regarding XML Signature. I hope this will answer some of them.
i nt erop.html
e r.html#_IPR
m en t%3A309
Implementation Experience for XML Signature
http://www.w3.org/Signature/2001/04/05-xmldsig-
XML Signature has at least 11 known implmentations at the time of publication, including an open source implementation as part of the XML Apache work. (I am resisting the urge to use the subject line, "This one goes up to 11.")
See Apache for more info on their implementation.
http://xml.apache.org/security/
Patent Policy/ Patents in general:
This is an older WG and a joint WG with the IETF and it follows the policies of the (early) W3C and IETF requirements: both of these require disclosure first and foremost. If you think IETF bans RAND, you need to read this document:
http://www.ietf.org/rfc/rfc2026.txt
It's how the IETF does its work; and section 10 is all about IPR.
10.3.2. Standards Track Documents
(A) Where any patents, patent applications, or other proprietary rights are known, or claimed, with respect to any specification on the standards track, and brought to the attention of the IESG, the IESG shall not advance the specification without including in the document a note indicating the existence of such rights, or claimed rights. Where implementations are required before advancement of a specification, only implementations that have, by statement of the implementors, taken adequate steps to comply with any such rights, or claimed rights, shall be considered for the purpose of showing the adequacy of the specification.
(B) The IESG disclaims any responsibility for identifying the existence of or for evaluating the applicability of any claimed copyrights, patents, patent applications, or other rights in the fulfilling of the its obligations under (A), and will take no position on the validity or scope of any such rights.
In short, anything in the IETF is okay, provided you document, and the IESG claims no responsibility for either searching for patents which may be relevant to the work, or in evaluation of others claims. Forking the work to the IETF won't make any difference, given their policy is more permissive than the developing W3C policy.
Speaking of which...
The W3C chartered the sister WG (XML Encryption) as an explicit Royalty Free WG. See the charter:
http://www.w3.org/Encryption/2001/10/xmlenc-chart
Patent Disclosures
The key thing is that both organizations do place emphasis on disclosure, though none of these members have stated that they hold patents directly relevant to this spec. The analysis, as you know, takes time.
Quoting from elsewhere, a statement from Joseph Reagle, the co-chair of the XML Signature and XML Encryption WGs:
http://xmlhack.com/read.php?item=1539&v=1&t=com
Re: XML-Signature Recommendation, Exclusive Canonicalization
Candidate (Joseph Reagle (W3C Co-Chair) - 15:26, 15 Feb 2002)
Unfortunately, it's difficult for the patent status of *anything* to be very clear.
(It's like proving a negative: God doesn't exist.) The only clear patent status IMHO is one that has been upheld in court or otherwise considered uncontestable, and it's license has been publically excercised by many implementors.
Regardless, there are a few ambigous statements from a few years back that folks should be aware of, but I'm not personally aware of any specific claims of infringement or licenses with respect to the 12+ implementations.
The classes implementing XMLDSIG are located in the System.Security.Cryptography.Xml namespace in the System.Security.dll assembly.
--bal
The beauty of XML lies not just in its simplicity, but also its flexibility. Naturally people are using this flexibility to implement sophisticated applications -- and writing complicated descriptions of these applications. But none of these things makes XML itself more complex. You might as well say that RISC chips, such as PowerPC, stopped being simple when people started using them to emulate Pentiums!
Having spent last 6 mouths in the implementation of the "PACCO" that is going to be released under LGPL i'd wish to share some views: :-) so you can apply digital signatures on SOAP messages and remote procedure call (marshaling too) it' s interesting we could use this to distribute computation in a "secure" (B.Schneier forgive me)
1) W3c generate standards too fast, so often every recommendation have a proprietary information model (infomodel(DOM=!=infomde(XPATH)! ecc.)
2)the recom uses too much the URI(URL in pratical) to indicate the resoure sign, it's quite argumentable and some breakable
3) xml dsing is only producing signature value, no key management no encryption (=> you messages will be in clear) so if you want a full PKI based on XML (at your own risk) you have to wait others W3c groups to produce a recomendation (they exist but started only in 2001)
4) 2 intereting thing that you are abel to do with an implementation of XML Dsig:
* Sing SOAP,XML-RPC (they are XML
* Sign everithing (also not XML) in particular we tested with mp3 and create a naif client p2p
The "better looking documents" claim is a completely different issue. Instead, the separation makes it harder to accumulate terabytes of legacy documents with invalid syntax. Quality of presentation is orthogonal to that.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...