Chapter 11. Profiling XMLDSIG for Applications

Any particular application of XMLDSIG requires a specific profiling of XMLDSIG. That is, it requires a specification of the following issues:

  • How the signature or signatures fit syntactically into the application documents and/or protocol messages

  • What the signature or signatures mean semantically

  • What specifications or limits apply to the composition and use of the signature or signatures such as limitations on algorithms, types of keying information, ways to extend them (if allowed), and so on


The XMLDSIG standard merely provides cryptographic linking between signed data and the key used to sign that data. A higher application level must specify the Signature meaning.

When developers design security into an application from the beginning, they should integrate this profiling of XMLDSIG (and perhaps XML Encryption) into the general specification of the application. XML Key Management (see Chapter 14) is an application that uses XMLDSIG as a building block and so integrates a profile of how XMLDSIG will be used into its general specification. P3P (Platform for Privacy Preferences) and SOAP (see Chapter 8) are two examples of initially insecure applications for which separate profiles have been written. These profiles, which exist as separate W3C Notes, are described in this chapter. Because neither is a standard yet, changes or replacements may occur before a security profile emerges as a standard for P3P or SOAP.

This chapter assumes familiarity with the XML Digital Signature standard (see Chapter 10). Some familiarity with P3P and SOAP will also be helpful.

Secure XML(c) The New Syntax for Signatures and Encryption
Secure XML: The New Syntax for Signatures and Encryption
ISBN: 0201756056
EAN: 2147483647
Year: 2005
Pages: 186 © 2008-2017.
If you may any questions please contact us: