XML Signature is the latest and greatest technology for you to use to ensure integrity and non-repudiation (to the extent possible). Its remarkable flexibility allows you to sign parts or all of XML documents as well as binary and remote objects.

Despite the depth and size of this chapter, the medium-level concepts behind XML Signature and the way it works are not difficult to understand. An XML Signature is represented by a Signature element. The core elements of an XML Signature are the SignedInfo and SignatureValue elements. The SignedInfo element contains the CanonicalizationMethod, the SignatureMethod, and one or more Reference elements. The Reference elements contain URIs (pointers) to resources to be signed, zero or more Transform elements, a DigestMethod, and a DigestValue. Transforms are algorithms that modify the resource being referenced in some way. The SignedInfo element and all its descendents are canonicalized and signed, using the specified algorithms, with the result put into the SignatureValue element.

In addition to SignedInfo and SignatureValue, a Signature can have two other optional elements: Object and KeyInfo. The Object element is a flexible element typically used to contain items to be signed and/or other information about the Signature. The Object element may contain a SignatureProperties element, which is a place to put properties about an XML Signature such as the time the Signature occurred. Also, an Object element could contain a Manifest, which is a set of Reference elements, formatted exactly like SignedInfo, with the only difference being the application is notified if a Reference from a Manifest fails validation; whereas if a Reference from SignedInfo fails validation, the entire signature fails. KeyInfo provides the key, or a pointer to the key, needed to validate the XML Signature.

The Reference URI is quite flexible and can point to resources in a variety of ways. There are three types of References, also known as XML Signature types: Enveloping Signatures, in which the Signature element wraps the item being signed; Enveloped Signatures, in which the Signature element is a descendent of the resource being signed; and Detached Signatures, in which the resource being pointed to is none of the above. Detached Signatures can have Reference URIs pointing to an XML element within the current document (but not to an ancestor node), to a binary file such as a GIF image, or to all or part of an external XML document.

We have spent extra time on helping you to understand XML Signature primarily because it is the first of the XML Security standards and is fundamental to the newer XML and Web Services Security standards. A good familiarity with XML Signature will help you understand the following standards, as well as provide you with a powerful tool for securing your Web services applications.

In the next chapter, we look at XML Signature's sibling standard: XML Encryption.

Footonotes

1. XML Signature Specification, http://www.w3.org/TR/xmldsig-core

2. XPath, XML Path Language (XPath) Version 1.0. W3C Recommendation. J. Clark and S. DeRose. October 1999. http://www.w3.org/TR/1999/REC-xpath-19991116

3. RFC2440: OpenPGP Message Format. J. Callas, L. Donnerhacke, H. Finney, and R. Thayer. November 1998. http://www.ietf.org/rfc/rfc2440.txt

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today. Buy this book now.