XML News from Friday, July 31, 2009

The W3C XML Security Working Group published six working drafts about XML signatures and encryption:

• XML Signature Best Practices "describes best practices related to improving security and mitigating attacks, yet others are for best practices in the practical use of XML Signature, such as signing XML that doesn't use namespaces, for example."
• XML Signature Syntax and Processing Version 1.1. "Conformance-affecting changes against this previous recommendation mainly affect the set of mandatory to implement cryptographic algorithms, including Elliptic Curve DSA (and mark-up for corresponding key material), and additional hash algorithms. There is currently no consensus about the inclusion of the ECDSA algorithm as mandatory to implement, and the Working Group seeks early community input into what algorithms should be supported. Arguments for and against specific approaches are called out in an editorial note in section 6.1 Algorithm Identifiers and Implementation Requirements."
• XML Signature Transform Simplification: Requirements and Design "outlines a proposed simplification of the XML Signature Transform mechanism, intended to enhance security, performance, streamability and to ease adoption."
• XML Encryption Syntax and Processing Version 1.1. "Conformance-affecting changes against this previous recommendation mainly affect the set of mandatory to implement cryptographic algorithms, by adding Elliptic Curve Diffie-Hellman Key Agreement. There is currently no consensus about the inclusion of this algorithm as mandatory to implement, and the Working Group seeks early community input into what algorithms should be supported. Arguments for and against specific approaches are called out in an editorial note in section 5.1 Algorithm Identifiers and Implementation Requirements."
• XML Security Generic Hybrid Ciphers "augments XML Encryption Version 1.1 by defining algorithms, XML types and elements necessary to enable use of generic hybrid ciphers in XML Security applications."
• XML Security Algorithm Cross-Reference "collects the various known URIs for encryption algorithms (at the time of its publication) and indicates which specifications define them."

I've thought about adding XML encryption and/or digital signatures to XOM one of these days, but frankly there's just never been any demand for it. It's not clear that anyone's actually using this stuff.