XML Signature | Next Generation Application Integration: From Simple Information to Web Services

Before we understand what XML Signature is, we must first understand what digital signatures are. A digital signature leverages encryption technology to support nonrepudiation, or the ability to validate that a party has "signed off" on a particular document. This is a binding legal agreement, such as ordering custom-built products. Digital signatures, in general, rely on public key cryptography, applying a signing encryption algorithm with a private key. The receiver can validate the signature by using a verification encryption algorithm, and thus the generated value should match up. If the information is different, then they won't match and the signature will be invalid.

This is important in the world of application integration when considering work flow issues, or the movement of information between parties, and the validation of that information as signed off by the parties. What's more, some data exchange operations may rely on digital signatures, as well; for example, the ability to do electronic business with a clear understanding that agreements digitally signed are as good as signed work orders or purchase orders.

XML Signature is the specific syntax that represents a digital signature over any digital content. XML Signatures can be applied to any digital content, including XML, an HTML page, binary-encoded data (such as a GIF), XML-encoded data, and a specific section of an XML file.

There are three types of XML Signatures:

Enveloped
Enveloping
Detached

An enveloped signature is a signature on a document, where the XML Signature will be embedded within the signed document. An enveloping signature is a signature where the signed data is embedded within the XML Signature structure itself. A detached signature is a signature where the signed entities and signature are separate from each other.

Once we understand digital signatures, we also need to understand how an application might create and verify a signature. All PKI systems provide APIs that allow you to leverage process signatures, but it would be much more efficient if this code was reusable. To address this issue, the OASIS Digital Signature Services (DSS) Technical Committee is to create a specification for a set of Web services that can create and validate XML Signatures.

Missing Pieces of Web Services

When considering Web services with application integration, there are some missing pieces. For example, Web services don't provide the mechanism to leverage user interfaces. The Web Services User Interface (WSUI) initiative, announced in June 2001, is moving to solve this problem, but the technical obstacles are significant. Also, current Web services do not address security very well, lacking support for authentication, encryption, and access control. Indeed, Web services do not have the ability to authenticate publishers or consumers of the Web services.

The XML-Based Security Services Technical Committee from the Organization for the Advancement of Structured Information Standards (OASIS) is looking to shore up security within Web services with the Security Assertion Markup Language (SAML). This security standard allows organizations to share authentication information among those they wish to share Web services with as partner organizations. Other emerging security standards include the XML Key Management Specification (XKMS), based on Public Key Infrastructure (PKI).