http://www.w3.org/ -- 14 February 2002 -- The World Wide Web Consortium (W3C) has issued XML-Signature Syntax and Processing (XML Signature) as a W3C Recommendation, representing cross-industry agreement on an XML-based language for digital signatures. A W3C Recommendation indicates that a specification is stable, contributes to Web interoperability, and has been reviewed by the W3C Membership, who favor its widespread adoption.
"XML Signature is a critical foundation on top of which we will be able to built more secure Web services," explained Tim Berners-Lee, W3C Director. "By offering basic data integrity and authentication tools, XML Signature provides new power for applications that enable trusted transactions of all sorts."
Digital Signatures are Essential to Web Services
Digital signatures are created and verified using cryptography, the branch of applied mathematics concerned with transforming messages into seemingly unintelligible forms and then back again. Digital signatures are created by performing an operation on information such that others can confirm both the identity of the signer, and the fidelity of the information. This capability is important to a growing number of XML protocol, publishing and commerce applications.
XML Signature Combines Data Integrity with Extensibility
While there are technologies one can use to sign an XML file, XML Signature brings two additional benefits.
First, XML Signature can be implemented with and use many of the same toolkits one is using for XML applications.
Second, XML Signature can process XML as XML instead of a single large document. This means multiple users may apply signatures to sections of XML, not simply the whole document.
As more commercial applications are used to send XML documents through a series of intermediaries, the ability to sign sections of a document without invalidating other portions is invaluable, whether for invoices, orders, or applications.
One may independently sign an XML payload from the XML envelope that carries it for a short period. As a result, when you remove, add or change the protocol envelope the signature on the payload itself is still valid.
Similarly, XML Signature provides flexibility when a signed XML form is delivered to a user. If the signature were over the full XML form, any change by the user to the default form values would invalidate the original signature. XML Signature permits both the original form and user's entries to be independently signed without invalidating the other.
And of course, while XML Signature is tailored to XML processing, it can be used to sign any data, such as a PNG image.