XML Signatures: Behind the Curtain - The Overview
(Page 3 of 9 )
XML signatures have been designed (according to the RFC) with the multiple goals of providing "integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere. " (I've bolded that last phrase because it is central to what this candidate implies for how the 'Net would work if it is adopted and implemented. More on this later.) These are fairly ambitious goals to be sure, and fairly extensive if considered in context. These signatures and their associated processes have as an ultimate goal providing the default basic server-based security services for the Web through the use of XML. However, the authors do have some sense of proportion about their work. The candidate contains this passage: "The XML Signature ... does not normatively specify how keys are associated with persons or institutions, nor the meaning of the data being referenced and signed. Consequently, while this specification is an important component of secure XML applications, it is, by itself, not sufficient to address all application security/trust concerns, particularly with respect to using signed XML (or other data formats) as a basis of human-to-human communication and agreement. Such an application must specify additional key, algorithm, processing and rendering requirements." In short, the authors are cautioning against considering this work as a technical panacea; that it must be used within other security measures. This is wise, but begs the question of what's behind the XML curtain.
Next: What They Don't Tell You in the Specification >>
More XML Articles
More By Larry Loeb
