W3C Recommends XML Signature Syntax

__past__ writes: "The W3C released a recommendation on XML Signature Syntax and Processing. The interesting point is not only that this is quite an important step for secure XML processing (esp. with regarding to web services), but also because there are some possibly ugly patent issues."

scary

[SirSlud]

Patents really have shifted from implementation to idea in the software world, it seems.

And doesn't the W3C accept RAND licensed patents now a W3C endorsed standards? (I can't recall if that went through or not.)

Re:scary

[j7953]

It's even more scary for me. I live in Germany, where digital signature are treated almost equally to normal signatures in many areas (the laws are based on European legislation, so other European Union member countries should have similar laws). Digital signatures aren't widely used yet, but I think you'll agree that such laws have lots of potential uses.

I am, however, very worried about legally binding signatures being subject to patent issues. Signatures are commonly used to sign contracts of high legal importance, where at least one party wants to have written proof of the contract. Having digital signatures convered by patents will make free software implementations more difficult or even impossible, and the idea that signing a contract will be possible only in ways that the signees don't completely undestand and cannot fully control (because the implementation is proprietary) certainly doesn't sound like a good idea for a democracy.

W3C / XML brain damage

[brenfern]

Yet another dull-as-dish recommendation from the W3C, not even a reference implementation to play with.

Ever since they have gone XML-with-everything they have produced ineffectual standards that are not followed by anybody as they are a pain in the ass to implement. It is no wonder that M$ and Sun prefer to create de facto standards instead of waiting for these guys to actually do anything. The killer app is the way to create standards and it's been a dozen years since we've seen one from the W3.

what made the web work

[Alien54]

with the progress towards XML, etc. the WWW is moving away from those things that made the explosion of the WWW possible. The inherent simplicity in HTML, as something you could get the basics of in a few days of mild effort, or in a morning, if you were ambitious, is disappearing.

What I am nervous about is that with the advance towards the more sophisticated technologies, the earlier simpler technologies will be "obsoleted". This may have implications for the democracy of the web slowing going away because only experts can do what used to be an everyman task.

Re:what made the web work

[NineNine]

Simplicity? XML is about as simple as you can get. XML is just straight text in tags similar to HTML. Of course, it's only go to do with data transfer, but XML is generally very simple. And for those people who don't know "data" from a hole in thr ground, there's no reason to use XML in the first place.

Re:what made the web work

[ichimunki]

What a load. HTTPS is a transport protocol. This spec is about signing stuff so that it can be authenticated against a key, not encrypting it during transmission.

Re:what made the web work

Let me disagree here. Sure the syntax is relatively simple - although even that could be dumbed down - but what it describes is kind-of complicated. XML describes a graph, but it does so with three kinds of edges. Subelement relationships let one define a tree, attribute relations are a different type of edge that can only be used at the end of the tree, and then one can introduce cycles with IDREFs.

From a semi-structured data point of view, all that's needed is one type of edge, which would make things much easier to reason about.

Ordering is another point of contention. Attributes are not ordered, but subelements are. Messy.

The crux of the problem with XML is that it was invented by structured document folks (as a simplified successor to SGML) and then later latched on to by the database folks who realized that it looked like semi-structured data. The design is something that I don't think database folks would have come up with if they were the ones designing it

Of course, all of the terrible committee-made standards that are being layered on top of it don't help, but I suppose that's not a complaint with the core of XML.

cheers!

An Introduction to XML Signatures (xml.com)

[ditoudi]

If you want more information about XML Signature, just check this article
http://www.xml.com/pub/a/2001/08/08/xmldsig.html

Re:Screw Patents

[lemonhed]

>Ignore the problem and it goes away!

It surely wont go away. In fact, if you ignore the problem our federal govt will do what people that DO NOT ignore the problem suggest they do. The federal govt is currently debating this issue as we speak.

The US is already conforming to the rest of the world on patent matters (e.g., publishing applications after 18 months). so if you want your voices to be heard.. contact congress.

Here is a link on patent legislation in various countries and how the US interacts with them.

Click here!!!

Conflict of interest?

[bunyip]

So, as I understand it, a working group (WG) member creates a standard and then says, "Oh, hey, great standard guys, but now you're all going to have to pay me for it".

Is this not a conflict of interest? Should the WG member be immediately voted off? Perhaps they should be tarred and feathered, run out of town on a rail?

I prefer the latter approach, it may reduce the number of bogus patent claims.

Alan.

Non-adoptable Standards

[jfrumkin]

So, you release a standard that has a number of patent questions surrounding it...hmmmm, let's see how many people jump at the opportunity to adopt something for which they could be sued or made to pay unknown license fees....

Another thought: Can I patent the idea of patentable standards? Sounds like a business model to me...

Wow, who would have thought this !?

[shiva600]

XML Signatures can be applied to any digital content (data object), including XML.

Surprise !

Digitial Signatures and XML = Good Thing...

[soap.xml]

I would hope that the community and the possible "patent holders" allow for this to go forward. There really is a need for such a technology the XML/Web Services space.

Having the ability to sign a document, or even a fragment of a document, allows for customers to "trust" that document and its contents. Sure https/ssl is a good way to "secure" the data during transit. But how can you be sure (currently) that the document I am sending you contains the proper information?

Think of this in a b2b ecommerce setup. I can send you my pricing sheets, in xml format, you can be sure that they are really the proper pricing, and can be assured of the "current" availablity. In the same XML document, I can include reviews and any other pertanant infromation about a given product. Digitally signed and verified from a trusted third party source. My customers are now not worried that I am trying to push a product line by falsifing results, and I am providing them with content for there catalogs...

To me, if it makes it through any "patent problems" this could be a very good thing ;)

-ryan

XML is no longer simple

[Carnage4Life]

Simplicity? XML is about as simple as you can get. XML is just straight text in tags similar to HTML. Of course, it's only go to do with data transfer, but XML is generally very simple. And for those people who don't know "data" from a hole in thr ground, there's no reason to use XML in the first place.

In the good old days, XML was simple but this is no longer the case as the W3C has created more and more complex standards that seem to require a P.hD to understand.

• Want to specify a structure for your XML? XML Schemas
• Want to query XML? XQuery
• Want to transform XML to some other format? XSLT
• Want to use XML as a transfer format for RPC calls? SOAP.
• Want to create links between XML documents? XPointer, XLink, and XML:Base are all needed.
• Want to include XML files in each other? XInclude

Many of the above standards are rather complex and difficult for most people to understand completely. This is besides the stuff one has to understand about XML infoset and XML namespaces to fully understand how to use XML properly.

DISCLAIMER: The opinions in the above post are MINE ALONE and do not reflect the opinions, intentions or strategies of my employer.

XMLDSIG in the .NET Framework

[bal]

The XMLDSIG implementation in the .NET Framework is fully compliant with the final XMLDSIG Recommendation. (I'm a co-author of the XMLDSIG standard and my group at Microsoft owns the XMLDSIG implementation in the .NET Framework.) The .NET Framework implementation was one of the original four to participate in interop testing at the Pittsburgh IETF (July 2000) and we tracked every change in the spec since then.

The classes implementing XMLDSIG are located in the System.Security.Cryptography.Xml namespace in the System.Security.dll assembly.

--bal

You have it backwards

[fm6]

All these complicated technologies actually show how simple XML remains. None of them does anything to "make XML more complicated". XML is just a specification for encoding information -- and that specification is still on version 1.0. If the XML designers did their job right, there never be an XML 2.0 or even an XML 1.1.

The beauty of XML lies not just in its simplicity, but also its flexibility. Naturally people are using this flexibility to implement sophisticated applications -- and writing complicated descriptions of these applications. But none of these things makes XML itself more complex. You might as well say that RISC chips, such as PowerPC, stopped being simple when people started using them to emulate Pentiums!