W3C XML Security Framework

W3C XML Security Framework

XML Signature. W3C Recommendation 12-February-2002. "This document specifies XML syntax and processing rules for creating and representing digital signatures. XML Signatures can be applied to any digital content (data object), including XML. An XML Signature may be applied to the content of one or more resources. Enveloped or enveloping signatures are over data within the same XML document as the signature; detached signatures are over data external to the signature element. More specifically, this specification defines an XML signature element type and an XML signature application; conformance requirements for each are specified by way of schema definitions and prose respectively. This specification also includes other useful types that identify methods for referencing collections of resources, algorithms, and keying and management information. The XML Signature is a method of associating a key with referenced data (octets); it does not normatively specify how keys are associated with persons or institutions, nor the meaning of the data being referenced and signed. Consequently, while this specification is an important component of secure XML applications, it itself is not sufficient to address all application security/trust concerns, particularly with respect to using signed XML (or other data formats) as a basis of human-to-human communication and agreement. Such an application must specify additional key, algorithm, processing and rendering requirements..." XML Encryption. W3C Recommendation 10-December-2002. "This document specifies a process for encrypting data and representing the result in XML. The data may be arbitrary data (including an XML document), an XML element, or XML element content. The result of encrypting data is an XML Encryption EncryptedData element which contains (via one of its children's content) or identifies (via a URI reference) the cipher data. When encrypting an XML element or element content the EncryptedData element replaces the element or content (respectively) in the encrypted version of the XML document. When encrypting arbitrary data (including entire XML documents), the EncryptedData element may become the root of a new XML document or become a child element in an application-chosen XML document. Canonical XML. W3C Recommendation 18-July-2002. IETF/W3C XML Signature Working Group. "The XML Recommendation specifies the syntax of a class of objects called XML documents. The Namespaces in XML Recommendation specifies additional syntax and semantics for XML documents. It is normal for XML documents and subdocuments which are equivalent for the purposes of many applications to differ in their physical representation. For example, they may differ in their entity structure, attribute ordering, and character encoding... The goal of this Canonical XML specification is to establish a method for serializing the XPath node-set representation of an XML document or subset such that: (1) The nodeset is minimally affected by any XML context which has been omitted; (2) The canonicalization of a node-set representing well-balanced XML [XML-Fragment] will be unaltered by further applications of exclusive canonicalization; (3) It can be determined whether two node-sets are identical except for transformations considered insignificant by this specification under XML and Namespaces in XML..."

Principal References
Page 1 of 3

W3C XML Security Framework

Announcement 2005-06-28: "World Wide Web Consortium Issues XML Key Management System (XKMS) 2.0 as a W3C Recommendation. XKMS 2.0 Adds Public Key Management to Web Applications, Web Services." [source] XML Key Management Specification (XKMS 2.0). W3C Recommendation. June 28, 2005. XML Key Management Specification (XKMS 2.0) Bindings. W3C Recommendation. June 28, 2005. Company Testimonials W3C news item Errata of the XML Key Management (XKMS 2.0) Specifications XKMS Translations XKMS Candidate Recommendation Implementation Report XKMS Working Group: o W3C XML Key Management Working Group o XML Key Management (XKMS) Activity Statement o XML Key Management Working Group Charter o XKMS Deliverables o Contact: TC Chairs Stephen Farrell and Shivaram Mysore. o Archive of W3C Public List 'www-xkms'. Subscribe by sending email to www-xkms-request@w3.org with the word subscribe in the email 'Subject: ' line. o XML Key Management Specification (XKMS). Submission to W3C from VeriSign Inc, Microsoft Corporation, and webMethods Inc. W3C Note. 30-March2001. o XKMS Contributor Policies o XKMS Participants o W3C Technology and Society Domain. "Technical building blocks that help address critical public policy issues on the Web." o "XML Key Management Specification (XKMS)" - Local reference page. XML Trust Center resources: o XKMS FAQ document o XML Trust Center web site o XKMS Community o VeriSign Trust Services Integration Kit Earlier XKMS news: o "W3C Releases Candidate Recommendations for XML Key Management Specification (XKMS 2.0)." News story 2004-04-06. o "Last Call Working Drafts for W3C XML Key Management Specifications (XKMS)." o "W3C XML Key Management Working Group Publishes XKMS 2.0 and X-BULK Working Drafts." o W3C Announces Official XML Key Management Activity." o W3C XML Key Management Services Workshop." XML and Security Standards (Security, Privacy, and Personalization): o Application Security o Digital Signatures o XML and Encryption o P3P Specification: Platform for Privacy Preferences o Dialogue Moves Markup Language (DMML) o XML Digital Signature (IETF/W3C) o XML Advanced Electronic Signatures (XAdES) o XML Common Biometric Format (XCBF) o Security Assertion Markup Language (SAML) o Web Services Security Specification o Liberty Alliance Specifications for Federated Network Identification and Authorization

Page 2 of 3

W3C XML Security Framework

o Security Services Markup Language (S2ML) o Extensible Access Control Markup Language (XACML) o ANSI/INCITS 359-2004 Role Based Access Control (RBAC) Security Standard o Enterprise Privacy Authorization Language (EPAL) o XML Access Control Language (XACL) o AuthXML Standard for Web Security o Service Provisioning Markup Language (SPML) o Intrusion Detection Message Exchange Format o "Incident Object Description and Exchange Format (IODEF) o Digital Signatures for Internet Open Trading Protocol (IOTP) o IETF Securely Available Credentials (SACRED) Working Group o OASIS PKI Technical Committee o OASIS PKI Member Section o OASIS Extensible Resource Identifier (XRI) TC o Extensible Name Service (XNS) o XML Encoding of SPKI Certificates o Digital Receipt Infrastructure Initiative o Digest Values for DOM (DOMHASH) o Signed Document Markup Language (SDML) o Customer Profile Exchange (CPEX) Working Group "XML Key Management Specification (XKMS)" - Local references.

Page 3 of 3