1.2 The Need for Secure XML

Many XML uses today need security, particularly in terms of authentication and confidentiality. Consider commercial transactions. It should be clear why purchase orders, payments, delivery receipts, contracts, and the like need authentication. In many cases, particularly when the transaction involves multiple parties, different parts of a message need different kinds of authentication for different recipients. For example, the payment portion of an order from a customer to a merchant could be extracted and sent to a payment clearing system and then to the customer's bank. Likewise, court filings, press releases, and even personal messages need authentication as a protection against forgery.

Confidentiality is also important for many applications. Consider medical records. As with authentication, granularity below the document level is often required. For example, a company personnel record might include data, such as a phone number or address, which are generally available within the company, as well as performance or salary information, which is more highly restricted. In another example, a customer record might include a credit card number that is more sensitive than other data. By encrypting different fields with different keys, the fields can be secured to different classes of recipients.

Non-XML mechanisms can provide security. For example, you can obtain confidentiality and authentication by using Pretty Good Privacy (PGP) [RFC 2440] or Secure Multipurpose Internet Mail Extensions (S/MIME) [RFC 2633] binary formats. Their use, however, requires the addition of non-XML mechanisms that may have different concepts of user identity or otherwise clash with XML systems.

For point-to-point security between a sender and receiver, you can use mechanisms such as a Transport Layer Security (TLS) [RFC 2246], Secure Sockets Layer (SSL), or IP Security (IPSEC) [RFC 2401] secure channels. Unfortunately, they can provide only one level of confidentiality for all material sent through that channel and have limited authentication provisions. After data that pass through such a secure channel are stored, the data typically

• Are not associated with any authentication from that channel that could be forwarded to or recognized by a third party,

• Have no integrity protection, and

• Have no confidentiality because it was all decrypted as it exited the tunnel.

Increasingly, for simplicity and flexibility reasons, users desire to work with all-XML systems using XML security mechanisms. Such security mechanisms can support the authentication and confidentiality of documents and portions of documents in a general and powerful way.