Chapter 7. XML Security

XML is a flexible data framework that allows applications to communicate across the Internet. In order for XML to be used for e-commerce applications, there must be support for security and trust. Requirements for XML security include confidentiality, authentication, and data integrity. The World Wide Web Consortium (W3C) addresses these issues through XML Encryption and XML Signature , for authenticating merchants , suppliers, and buyers , and for digitally signing and encrypting XML documents. These initiatives make use of public and private keys but do not address the issue of how to trust key providers.

Although security mechanisms such as HyperText Transfer Protocol over Secure Socket Layer (HTTPS) are already in place to provide confidentiality, authentication, and data integrity across the Web, XML transport over Simple Object Access Protocol (SOAP) raises security issues that pertain to XML and its processing. For example, both XML namespaces and entities entail substitutions that are not actually carried out until an XML document arrives at its destination, meaning that the XML in transit is not the same as the XML at its final destination. Issues such as these are addressed through the use of XML canonical forms that capture the essential aspects of an XML document and make it possible to apply security constructs. Issues of trust are handled by XML Key Management Specification (XKMS), which builds on the services of XML Signature and XML Encryption and relies on established certificate authorities (CAs).