A whole bunch of new XML Security working drafts

The W3C XML Security Working Group has released eight first public working drafts last week, from updated XML Encryption 1.1 and XML Signature 1.1 specifications to even some new ones. Among others, these drafts include revisions to XML Signature and XML Encryption to support new algorithms and a new document proposing simplifications to the XML Signature Transform model to enhance performance and security.

XML Signature Best Practices experienced some updates to match the latest recommendations. XML Security Derived Keys, XML Signature Properties, XML Security Algorithm Cross-Reference and XML Security Use Cases and Requirements are completely new specifications.

XML Signature Syntax and Processing Version 1.1
This version mostly replaces more or less unsafe algorithms like SHA-1 with SHA-256 or higher (well, SHA-1 is not replaced, it is still a required algorithm, but SHA-256 is required too). Additionally elliptic curve cryptography has arrived in the recommendations in form of the ECPublicKey element and of course the matching algorithms. And we are confronted with a new digital signature namespace http://www.w3.org/2009/xmldsig11#. Check out the diff-marked version for all changes.

XML Encryption Syntax and Processing Version 1.1
Some updates on required and recommended algorithms too. Elliptic Curve Diffie-Hellman is now a required Key Agreement algorithm. Not too many changes here; and I couldn’t find a diff-marked version.

XML Security Derived Keys
This completely new specification defines a derived key XML type and associated elements, both used in XML Signature and XML Encryption.

XML Signature Properties
Signature properties are nothing new. Up to now it is possible to define any signature property one desires. This is still possible in the future, but this new recommendation will define some commonly used ones. Four properties are defined so far: Profile, Role, Expires and ReplayProtect. I guess we will see some more in the final recommendation…

XML Security Algorithm Cross-Reference
Another new document. And a really, really good idea! This reference contains all algorithms and their corresponding URI used in all XML Security recommendations. Bookmark this page, and never use an incorrect URI again!

XML Signature Best Practices
A collection of best practices, mostly security related, for implementers and users of the XML Signature recommendations. Not everything will be useful in every environment, but clearly this document points into the right direction of making a complex recommendation more practical in the daily usage.

XML Security Use Cases and Requirements
This document summarizes use cases and requirements driving revisions to XML Signature, XML Encryption and XML Canonicalization. Not that interesting for XML Security users.

XML Signature Transform Simplification: Requirements and Design
I like the idea behind this document. Basically it recommends replacing the current reference processing model with a simpler one. And simplicity is always good for security (and for performance). What may(!) happen is an extended Reference element with Selection, Transform and Canonicalization child elements. The Selection element chooses what is to be signed. The Transform element makes sure that you only sign what you see (it has a limited number of transformations that for). And finally the Canonicalization element is used to produce the input for the hash. So the reference processing may change a little bit in the future.

Published by Dominik

Java architect, developer, author, trainer, speaker, JCrypTool project lead and secure programming enthusiast.