Introduction to and Motivation for XML Signature

Chapter 2, "The Foundations of Web Services," and Chapter 3, "The Foundations of Distributed Message-Level Security," provided an overview of Web services (including XML) and security concepts. This chapter and the next bring two of the key security principles—confidentiality and integrity—into the world of XML. Confidentiality, in the world of XML, manifests itself as XML Encryption. Integrity manifests itself as XML Signature. XML Signature and XML Encryption are fundamental strategies for securing XML and are pillars of WS-Security. Because XML is one of the foundations of Web services, it follows that these two technologies are extremely important to understand and apply when you are implementing secure Web services.

XML Signature (as discussed in Chapter 3) is a joint standard of the IETF and the W3C for digitally signing all of an XML document, part of an XML document, or even an external object. Similarly, XML Encryption is a W3C standard, which followed XML Signature, for encrypting all of an XML document, part of an XML document, or an external object. Actually, you can sign or encrypt pretty much anything you can point to with a URL.

XML Signature and XML Encryption are fundamental to the next generation of emerging standards that use these two standards as building blocks. For example, WS-Security, the emerging OASIS standard for Web services security; XML Key Management Specification (XKMS), and Security Assertion Markup Language (SAML), among many others, all rely on XML Signature and/or XML Encryption.

XML Signature and XML Encryption, two of the three major pillars of the WS-Security standard, are so predominant in current thinking about Web Services Security that some people mistake them as the only strategy for securing Web services. This is really not the case at all. When reading Chapter 3, you probably realized that Web Services Security must involve a broad spectrum of security technologies and strategies. Web services involve active use of XML messages across trust domains. Securing the message itself is critical, but it represents only one aspect of the whole Web Services Security picture.

That being said, we encourage you to pay special attention to the information in this chapter and, if you are interested in more detail, to pick up a book that treats this subject in more depth—for example, Secure XML by Donald Eastlake and Kitty Niles(Addison Wesley 2002).

XML Signature technology, like digital signature, is a tool for ensuring integrity and, usually, identity and non-repudiation. XML Signature takes the building block of digital signature as described in Chapter 3 and greatly expands upon it, taking advantage of the power and flexibility of XML as well as key Web technologies (such as URLs) to sign almost any type of resource, whether an XML document, a part of an XML document, or a non-XML object such as an image.

You might think that Web Services Security in relationship to XML Encryption and XML Signature is about encrypting and digitally signing SOAP messages. This aspect of the application of these two technologies is certainly important, and this usage is well covered in this book; however, this probably will not be the most important usage for you, as a developer or administrator of Web services, at least in the near future. Web services containers or special Web services firewalls help manage this complexity by signing/encrypting or verifying/decrypting all or parts of the SOAP message based on policies you configure. It really does not make sense for Web services developers to have to worry about the blocking and tackling involved in securing the SOAP payload uniquely for every application and/or operation within a Web service. This operation will become part of the infrastructure. As a Web services developer, you should be able to focus on the SOAP payload itself, which is an XML document. Much of your direct use of XML Signature and XML Encryption will be for your applications themselves to take advantage of the power of these technologies to enrich the functionality of your systems.

The goal of this chapter is to inform you how XML Signature works while not burying you with too much detail. This standard is powerful and complex, so we focus on the parts that we think will be most applicable.

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today. Buy this book now.