Any news with XML Security
(too old to reply)
Cuong Huy To
2007-06-30 18:24:57 UTC
Dear all readers and researchers,

I'm quite new to Security, and I am working with JSR 105/106 (DSig and

Recently, I've read a writing by Peter Gutmann
http://www.cs.auckland.ac.nz/~pgut001/pubs/xmlsec.txt, in which from
what I have understood, Peter has pointed out that:
+ Canonicalisation is too hard, X.509 abandoned it, no hope for
+ XML is complicated: XSLT, XPath, DTD difficult to simply describe
what should be a secure solution for XML
+ XML is too much flexible
One can sign the document header
One can sign an empty string
There are key exchange mechanisms where a message can contain embedded
keys before or after the secured payload (Still don't understand)
+ XML is also too much inflexible
Can you separate a security component from an XML component ?
Not many XMLSec provider is both good at security or XML, but you have
to use whatever that provider gives you

+ Good non-XMLSec solutions (PGP & S/MIME) organizes blocks of data so
as to avoid buffering of big data when verifying/encrypting:
- Encryption:
Recipient/Key-exchange information
Encrypted Data
- Signature:
Signature Hash Algorithm Indicator
+ XMLSec tries to be different, by allowing data blocks to be of
arbitrary orders.

This writing was 2 years old (From 2005), and I still see XML Security
developed by Sun, Apache and IAIK ?

So could anyone of you telling me what the world is really thinking on
XML DSig and Encryption ?

Thanks alot for your time
Valery Pryamikov
2007-07-05 11:25:11 UTC
I belive that the main reason why XML Security is still being
developed is that it is pushed by SOA actors (I don't need to list
these big companies who bets on WebServices and architecture around

In addition to Peter's arguments - if you want to use XMLSecurity you
simply can not make efficient implementation that doesn't requre
several XML re-serialization/re-parsing during the process! For
example, if you need to sign and encrypt the document, you'll be
required to serialize and parse XML documents at least 3 times. First
you need cannonical serialization of source document to extract
cannonical representation of protected document portion. After that
you need to create another XML document that contains encrypted
content and store this intermediate result in explicit cannonical
form. At last you need to produce third document with signature and
encrypted content and send it to the receiver (cannoncial
serialization is not required at this point because receiver must
always convert it to explicit cannonical form before doing any other
processing). And if we look at some other requirements of WSSecurity
1.1 - you might be required to do additional explicit cannonical
serialization of intermediate results plus parsing of intermediate XML
results for being able to implement them.