February 14, 2002 1:00 PM PST
Securing signatures for Web services
The World Wide Web Consortium's (W3C) XML Signature recommendation, developed in conjunction with the Internet Engineering Task Force (IETF), provides a standard way of signing XML documents so that recipients can verify the identity of the sender and the integrity of the data.
Those guarantees are crucial to Web services, an area the W3C has been criticized for neglecting.
"XML Signature is a critical foundation on top of which we will be able to build more secure Web services," W3C founder and director Tim Berners-Lee said in a statement. "By offering basic data integrity and authentication tools, XML Signature provides new power for applications that enable trusted transactions of all sorts."
The digital signature is just one tool in a group under construction at the W3C required for secure transactions.
While the signature verifies a sender's identity and the data's integrity, an encryption method is required to scramble the message and prevent its being read en route to the recipient. The W3C is at work on XML Encryption.
The W3C is also developing XML Key Management, which lets XML applications get keys required for the signature and encryption process.
The signature recommendation, while built in XML and designed with XML documents in mind, can be used to sign other kinds of documents as well.
Analysts hailed the new signature recommendation, formally known as XML-Signature Syntax and Processing, saying it could help ward off a Tower of Babel for digital signing methods.
"Without a standard spec, you're left to your own devices either to use a working draft or use a supplemental technology," said Matthew Berk, an analyst with Jupiter Media Metrix. "People are using all kinds of things. The whole point of having a standard is that there's one less thing we have to worry about."
The XML Signature working group is the first formal joint project between the W3C and the IETF. One step remains before the IETF process for ratifying specifications is complete, but the W3C considers the recommendation finished.