As web services based on SOAP, REST, and XML-RPC explode in popularity, more and more sensitive data is passed around the Internet as XML documents. This includes data thieves might want to use for illicit financial gain, such as credit card numbers, social security numbers, account numbers , and more. It includes data governments might want to use to attack opponents, such as names , addresses, political beliefs, donor lists, and so forth. It includes data users might simply wish to keep private for its own sake, such as medical records and sexual preferences. There are large incentives for bad people to try to read XML documents moving from one system to another. XML encryption can help prevent this. Not all documents need to be encrypted, but those that do need encryption need it badly .
To some extent, standard encryption technologies like PGP and HTTPS can render some assistance. These protocols, programs, and algorithms are for the most part format-neutral. They can encrypt any sequence of bytes into another sequence of bytes. Naturally, they can encrypt an XML file just as easily as an HTML file, a Word document, a JPEG image, or any other computer data; and sometimes this suffices. However, none of these generic encryption tools retain any of the advantages of the XML nature of the original file. The documents they produce are binary, not text. They cannot be processed with standard XML tools.
XML encryption is a technology more geared to the specific needs of encrypting XML documents. It allows some parts of a document to be encrypted while other parts are left in plain text. It can encrypt different parts of a document in different ways. For example, a customer can submit an order to a merchant in which the product ordered and the shipping address are encrypted with the merchant's public key, but the credit card information is encrypted with the credit card company's public key. The merchant can easily extract the information needed and forward the rest to the credit card company for approval or rejection . The merchant has no way of knowing or storing the user 's credit card data and thus could not at a later time charge the customer for products he or she hadn't ordered nor expose the data to hackers.