Slashdot Mirror
W3C Recommends XML Signature Syntax
__past__ writes: "The W3C released a recommendation on XML Signature Syntax and Processing. The interesting point is not only that this is quite an important step for secure XML processing (esp. with regarding to web services), but also because there are some possibly ugly patent issues."
Patents really have shifted from implementation to idea in the software world, it seems.
And doesn't the W3C accept RAND licensed patents now a W3C endorsed standards? (I can't recall if that went through or not.)
"Old man yells at systemd"
but I don't see how the W3C should have any jurisdiction over it. They are a Web standards body and they should leave satellite radio alone.
Yet another dull-as-dish recommendation from the W3C, not even a reference implementation to play with.
Ever since they have gone XML-with-everything they have produced ineffectual standards that are not followed by anybody as they are a pain in the ass to implement. It is no wonder that M$ and Sun prefer to create de facto standards instead of waiting for these guys to actually do anything. The killer app is the way to create standards and it's been a dozen years since we've seen one from the W3.
After a decade or so, yeah... But just wait till the 150 year patent comes around like the 150 year copyright.
Damn Mickey all to hell!
Rod Taylor
The W3C should eather get unrestricted free rights the XML Signature or find a new way of doing it. "Most patents are just logical extensions of existing ideas wrapped in legaleze to sound different"
Shaun
Damn Mickey all to hell!
I'll second that.
Lat night, Valentine's day, my wife wanted a copy of a Disney movie as a gift.
"Anything... *anything* else," I urged her. I told her about the SSSCA and how much influence Disney had had in pushing that as far as it's gotten. I told her about all the other crap that disney has been responsible for. The company pisses on its user's rights and then expects to be a loved 'Family' company.
Whatever.
Despite the fact that they have produced some compelling animation in recent years, I just can't spend money on Disney products any more. It makes me feel sick to my stomach to think that the 18.95 I spent on the 'Hunch-back of Notre Dame' will one day have helped push through the SSSCA, making it impossible for people to watch media in anything other than a Disney-approved manner.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Actually, I'd give this a +0.5 funny and a +0.5 obscure, but it totals to +1 both ways.
Besides, my rating system is just a figment of my imagination, right?
-- MarkusQ
150 patents would be the best thing to happen to this world. A few people who be sticking rich and basically own a crud load of what should be public domain, the pressure will build, and a revolution would come. I'm more frusterated by how the system is ignoring its own problems by way of settlements. Nothing gets solved, issues don't get addressed, and as long as enough big players don't suffer, we'll keep seeking jobs from them instead of picking up our torches and pitchforks and solving the problem.
"Old man yells at systemd"
What I am nervous about is that with the advance towards the more sophisticated technologies, the earlier simpler technologies will be "obsoleted". This may have implications for the democracy of the web slowing going away because only experts can do what used to be an everyman task.
"It is a greater offense to steal men's labor, than their clothes"
If you want more information about XML Signature, just check this article
http://www.xml.com/pub/a/2001/08/08/xmldsig.html
>Ignore the problem and it goes away!
It surely wont go away. In fact, if you ignore the problem our federal govt will do what people that DO NOT ignore the problem suggest they do. The federal govt is currently debating this issue as we speak.
The US is already conforming to the rest of the world on patent matters (e.g., publishing applications after 18 months). so if you want your voices to be heard.. contact congress.
Here is a link on patent legislation in various countries and how the US interacts with them.
Click here!!!
So, as I understand it, a working group (WG) member creates a standard and then says, "Oh, hey, great standard guys, but now you're all going to have to pay me for it".
Is this not a conflict of interest? Should the WG member be immediately voted off? Perhaps they should be tarred and feathered, run out of town on a rail?
I prefer the latter approach, it may reduce the number of bogus patent claims.
Alan.
So, you release a standard that has a number of patent questions surrounding it...hmmmm, let's see how many people jump at the opportunity to adopt something for which they could be sued or made to pay unknown license fees....
Another thought: Can I patent the idea of patentable standards? Sounds like a business model to me...
"What we have here, is a failure to communicate." - Cool Hand Luke
Many XML advocates try to kill 3 birds with one stone:
Personally I wish that if there had to be one standard syntax for human-readable data representation & code it was at least something sensible like LISP - at least then I can do paren-matching in my text editor. As for markup, SGML does have many advantages (the only disadvantage from XML is its alleged complexity), and as for storage, you can use actual databases to put our data in (you can argue the toss about RDBMS vs ORDBMS/XMLDBMS, though I think traditional RDBMS are fine really).
Really though I hope people will learn to use lex/Yacc and choose a syntax or structure most appropriate for their needs. I have seen many a programming team replace a syntax that works with XML syntax because it is seen to be more modern. To me this is throwing out the baby with the bathwater.
XML Signatures can be applied to any digital content (data object), including XML.
Surprise !
A useful framework for some types of data it may be (specifically, markup data), but I feel that XML is too often used outside the scope of its main strengths. Specifically, object serialisation, transmission and other such protocols are handled more elegantly by ASN.1, Java serialisation (which can just as easily become a standard for other languages) or just rolling your own, program semantics by LISP syntax etc.
Far too often W3 encourage the blinkered approach that XML is the only way to express things. Stuffing base64-encoded strings into markup tags to be parsed at the other end is just not convenient and I think it can be done better.
Those who say that XML is simple are IMO not correct. XML can be veru complex, you cannot just make up new tags - they have semantic value in respect to a given target. This means that you have to have a target application that understands your XML, not much simplicity there. XML is not a language, it's a syntax. The syntax is easy, agreed, but implementations may have any complexity level.
XHTML is an XML schema. It's HTML that's valid XML, ie. it conforms to the XHTML DTD/Schema. For most it suffices that it's well-formed XML and as such can be parsed into a DOM tree by any XML parser.
Unable to read configuration file '/bigassraid/htdig//conf/14229.conf'
Geocrawler error message.
Why indeed would the W3C produce a reference - but that's not what he said. He simply said "there was no reference implementation" by ANYONE (or at least that was the impression I got).
When the XML standard was being hammered out, there were a number of refence implemnetations. What he's complaiing about (and I agree with) is standards developed out of thin air, without any kind of reference to help give the thing solid footing. A lot of ideas sound great on paper but need to be tweaked to make implementations practical AND USABLE. I'm not sure I've seen a single standard I liked that did not have a reference implementation developed along with the standard.
That said, I've not looked at the spec itself (yet) so it might be great for all I know.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The web browser was the W3's (or, as it was, CERN's) big killer app. In the good old days they used to actually make things to prove that their standards would lead to useful technology. Do you really believe that the W3 should solely chair committee meetings and never get their hands dirty? Can good technology be designed in a vacuum? There is no seperate world of "standards bodies" here and "software houses" there - the most successful way to create a standard is to lead by example, and release a reference implementation. Presumably the W3 must have a prototype implementation somewhere; if they released it, more people might take their standards seriously. As it stands, a standard with no implementation can only be evaluated on by speculating about its theoretical merits - which is a risky strategy.
I would hope that the community and the possible "patent holders" allow for this to go forward. There really is a need for such a technology the XML/Web Services space.
Having the ability to sign a document, or even a fragment of a document, allows for customers to "trust" that document and its contents. Sure https/ssl is a good way to "secure" the data during transit. But how can you be sure (currently) that the document I am sending you contains the proper information?
Think of this in a b2b ecommerce setup. I can send you my pricing sheets, in xml format, you can be sure that they are really the proper pricing, and can be assured of the "current" availablity. In the same XML document, I can include reviews and any other pertanant infromation about a given product. Digitally signed and verified from a trusted third party source. My customers are now not worried that I am trying to push a product line by falsifing results, and I am providing them with content for there catalogs...
To me, if it makes it through any "patent problems" this could be a very good thing ;)
-ryanIn the good old days, XML was simple but this is no longer the case as the W3C has created more and more complex standards that seem to require a P.hD to understand.
- Want to specify a structure for your XML? XML Schemas
- Want to query XML? XQuery
- Want to transform XML to some other format? XSLT
- Want to use XML as a transfer format for RPC calls? SOAP.
- Want to create links between XML documents? XPointer, XLink, and XML:Base are all needed.
- Want to include XML files in each other? XInclude
Many of the above standards are rather complex and difficult for most people to understand completely. This is besides the stuff one has to understand about XML infoset and XML namespaces to fully understand how to use XML properly.DISCLAIMER: The opinions in the above post are MINE ALONE and do not reflect the opinions, intentions or strategies of my employer.
Any concept sounds simple at first; for example, football (in England) is about "kicking a ball into a net". Similarly, putting "straight text in tags" seems straightforward at first but the complexity comes from the process required to implement a system around XML. Firstly, you need an XML parser - which is surprisingly non-trivial to write as there are many rules. Secondly, if you need to encode binary data, you have to use MIME or similar. Next, you need to write objects to receive XML data from the parser, as data cannot be read directly from the XML document itself (e.g. you have entities). XML-based programs, in my experience, tend to be unnecessarily unwieldy as XML is poor for representing data structure and does need parsing/serialisation to be used. For these reasons, a binary tag/length/data random access format will always win out eventually in terms of simplicity.
I think we know what a W3C reference implementation looks like.
This thread has carried some interesting questions regarding XML Signature. I hope this will answer some of them.
i nt erop.html
e r.html#_IPR
m en t%3A309
Implementation Experience for XML Signature
http://www.w3.org/Signature/2001/04/05-xmldsig-
XML Signature has at least 11 known implmentations at the time of publication, including an open source implementation as part of the XML Apache work. (I am resisting the urge to use the subject line, "This one goes up to 11.")
See Apache for more info on their implementation.
http://xml.apache.org/security/
Patent Policy/ Patents in general:
This is an older WG and a joint WG with the IETF and it follows the policies of the (early) W3C and IETF requirements: both of these require disclosure first and foremost. If you think IETF bans RAND, you need to read this document:
http://www.ietf.org/rfc/rfc2026.txt
It's how the IETF does its work; and section 10 is all about IPR.
10.3.2. Standards Track Documents
(A) Where any patents, patent applications, or other proprietary rights are known, or claimed, with respect to any specification on the standards track, and brought to the attention of the IESG, the IESG shall not advance the specification without including in the document a note indicating the existence of such rights, or claimed rights. Where implementations are required before advancement of a specification, only implementations that have, by statement of the implementors, taken adequate steps to comply with any such rights, or claimed rights, shall be considered for the purpose of showing the adequacy of the specification.
(B) The IESG disclaims any responsibility for identifying the existence of or for evaluating the applicability of any claimed copyrights, patents, patent applications, or other rights in the fulfilling of the its obligations under (A), and will take no position on the validity or scope of any such rights.
In short, anything in the IETF is okay, provided you document, and the IESG claims no responsibility for either searching for patents which may be relevant to the work, or in evaluation of others claims. Forking the work to the IETF won't make any difference, given their policy is more permissive than the developing W3C policy.
Speaking of which...
The W3C chartered the sister WG (XML Encryption) as an explicit Royalty Free WG. See the charter:
http://www.w3.org/Encryption/2001/10/xmlenc-chart
Patent Disclosures
The key thing is that both organizations do place emphasis on disclosure, though none of these members have stated that they hold patents directly relevant to this spec. The analysis, as you know, takes time.
Quoting from elsewhere, a statement from Joseph Reagle, the co-chair of the XML Signature and XML Encryption WGs:
http://xmlhack.com/read.php?item=1539&v=1&t=com
Re: XML-Signature Recommendation, Exclusive Canonicalization
Candidate (Joseph Reagle (W3C Co-Chair) - 15:26, 15 Feb 2002)
Unfortunately, it's difficult for the patent status of *anything* to be very clear.
(It's like proving a negative: God doesn't exist.) The only clear patent status IMHO is one that has been upheld in court or otherwise considered uncontestable, and it's license has been publically excercised by many implementors.
Regardless, there are a few ambigous statements from a few years back that folks should be aware of, but I'm not personally aware of any specific claims of infringement or licenses with respect to the 12+ implementations.
The classes implementing XMLDSIG are located in the System.Security.Cryptography.Xml namespace in the System.Security.dll assembly.
--bal
Control Control Control ..did i forget something
We have it
Yeah i did notice it was posted by an anonamous coward but even i talk to cowards Digital signatures are retrictive I thought XML was a universal language If XML wants to change the rules half way through the game thats considered bad upmanship XML will not succeed if it isolates the open source community it will be the death of the language
The beauty of XML lies not just in its simplicity, but also its flexibility. Naturally people are using this flexibility to implement sophisticated applications -- and writing complicated descriptions of these applications. But none of these things makes XML itself more complex. You might as well say that RISC chips, such as PowerPC, stopped being simple when people started using them to emulate Pentiums!
The "better looking documents" claim is a completely different issue. Instead, the separation makes it harder to accumulate terabytes of legacy documents with invalid syntax. Quality of presentation is orthogonal to that.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...