This book explains the guts of XML Digital Signatures and XML Encryption. Along the way, it describes how you, as a designer, implementer, or evaluator of an XML application, can make use of these technologies. Using this book, a skilled reader can design and implement interoperable XML-based authentication and/or Zconfidentiality mechanisms for his or her particular applications.
The Extensible Markup Language (XML) is rapidly becoming the new standard in application-level computer communications. As its use spreads, mechanisms to assure the authenticity and confidential communication of XML documents and messages become essential.
Material provided in this book minimizes needed prerequisite knowledge, although it requires general familiarity with computer concepts. For the reader not familiar with digital security or cryptology concepts, Part I includes a chapter covering these topics in the depth needed to understand the remainder of the book. For the reader not familiar with XML, Part II provides in-depth coverage of XML and related standards. This material provides not just the background needed for the rest of this book, but also enough general coverage that it should be helpful in understanding most XML applications and systems. Readers with sufficient knowledge in the areas covered can skip or skim this background material.
After providing the introductory and background material in Parts I and II, the book covers the topics of XML digital signatures, XML encryption, and XML canonicalization in depth. This discussion includes specific formats and examples and covers keying material, combined use of signatures and encryption, algorithms, and profiling of signature use for particular applications. If your interest lies only in XML digital signatures or XML encryption, you can skip the chapters associated with the other topic. Any nontrivial use of XML Security, however, will require some familiarity with XML canonicalization, keying information, and the relevant algorithms.
This book is firmly based on the official, adopted standards of the World Wide Web Consortium, Internet Engineering Task Force, and other relevant standards bodies when available. Additional material is based on the most recent drafts or informational documents available at the time of writing and the authors' personal knowledge and experiences.
In general, we present areas of XML Security by giving an informal syntax with a skeletal example, followed by the formal syntax and then by a number of more complete examples. The material is organized so that the formal syntax and complete examples can be read in either order.
Throughout the book, we include notes that might be of interest to the reader, where the authors either have some particular knowledge of the history involved or have some heretical opinion.