The Web Services Advisor
(Receive this column in your inbox,
click Edit your Profile to subscribe.)
An inside look at XML Signature
For Web services to flourish, there needs to be some way for people and companies to know that those on the other end of the transaction really are who they say they are. That's the job of XML Signature. It's a security standard that allows those using Web services to verify the identity of others involved in transaction, and to guarantee the integrity of the data - in other words, that it hasn't been altered in any way since the document was originally signed. The standard will be critical to the widespread use of large-scale business-to-business Web services.
Especially important about XML Signature is that it allows different parts of a document to be signed separately - and will also allow more than one person to sign a document, or allow more than one person to sign different sections of the document. This is vital because many Web services transactions will likely involve several different companies in a single transaction, and each of those companies needs to be able to sign only certain sections of a document. And all the parties involved need to know that everyone else in the transaction is who they say they are and that the data is secure and hasn't been changed.
How XML Signature works
XML Signature uses digital signatures as a way to do all this, and so before understanding how XML Signature works, you need to understand what a digital signature is and how one is created. At its most basic level, a digital signature is a piece of data that verifies a person is who he says he is. The signature can be created a number of different ways, and with varying degrees of complexity. In general, to create one you need the document or other piece of data that you're going to sign, a key that is used to verify that you are who you say you are, and one or more algorithms that are used in concert with the data and your key in order to create an electronic signature and sign the document. Often, an algorithm or algorithms is applied to the messages (this algorithm is often called a hash algorithm), and then the key and another algorithm (called an encryption algorithm) is applied to the results of the first algorithm - and you end up with a digital signature signing the messages.
XML Signature allows these kinds of signatures to be used in XML documents. To better understand it, we'll look at a basic example of some XML code that uses the signature. Let's say that as part of a Web service transaction, a contract needs to be signed, and the contract is inside an XML document passed during the transaction. The contract part of the XML document looks like this:
<contract-item id="Section 1A">
I, the undersigned, agree to pay $35,000 for delivery of 15 new computers.
We'll assume that just that part of the XML document will need to be signed - no signature needs to be applied to any other part. In front of that
The section looks like this:
You can see references to the various algorithms, and the way that the data was transformed. Also, you might have noticed a Reference URI. That identifies what is being digitally signed, and in this instance, Res1 is the contract section of the document.
Next comes the actual signature value, like this:
This is followed by the <keyInfo> section, which has details about the key used to sign the document, and could even contain the key itself - a very long line of arbitrary-looking letters and numbers.
In a nutshell, that's the code that is used to sign the document. The document now contains an XML Signature, and the Web service examines the signature and verifies that it's real and accurate, so that everyone else in the transaction knows that the document is a valid one.
XML Signature in the real world
All this code is useful to know, but may seem rather abstract. So let's take a simple example of how XML Signature might be used in the real world. We'll say that a Web service has been built for real estate transactions. A real estate firm draws up the contract - and the contract requires that the buyer sign certain sections of the document, that the seller sign certain sections of the document, and that a mortgage company sign a section guaranteeing a loan - otherwise the seller won't agree to sell.
The result is a complex XML document routed among the parties by the Web service. First the buyer signs several pages, then the document is routed to the mortgage company, which signs a page. Finally, it comes to the seller. The Web service checks that the digital signatures of the buyer and mortgage company is valid. After finding that they are valid, he digitally signs it as well. The document is valid - the sale goes through.
Keep in mind that the Web service application itself will include built-in tools for allowing people to digitally sign the documents - each party in the transaction won't have to go into the XML code.
Where XML Signature is today
So where is XML Signature today? The W3C has recommended it as a standard, which means that it most likely will gain widespread acceptance. For details about the standard and recommendation, go to http://www.w3.org/TR/xmldsig-core/. It's unlikely that you'll be using XML Signature just yet - it's not mature enough, and so toolkits aren't yet widely available and it isn't yet generally used. But it's worth checking out now, if you have any plans for business-to-business Web services or other Web service transactions.
About the Author
Preston Gralla, a well-known technology expert, is the author of more than 20 books, including "How the Internet Works," which has been translated into 14 languages and sold several hundred thousand copies worldwide. He is an expert on Web services and the author of a major research and white paper for the Software and Information Industry Association on the topic. Gralla was the founding managing editor of PC Week, a founding editor and then editor and editorial director of PC/Computing, and an executive editor for ZDNet and CNet. He has written about technology for more than 15 years for many major magazines and newspapers, including PC Magazine, Computerworld, CIO Magazine, eWeek and its forerunner PC Week, PC/Computing, the Los Angeles Times, USA Today, and the Dallas Morning News among others. As a well-known technology guru, he appears frequently on TV and radio shows and networks, including CNN, MSNBC, ABC World News Now, the CBS Early Show, PBS's All Things Considered and others. He has won a number of awards for his writing, including from the Computer Press Association for the Best Feature in a Computer Publication. He can be reached at firstname.lastname@example.org.
For More Information:
- For insightful opinion and commentary, read our Guest Commentary columns.
- Tired of technospeak? The Web Services Advisor column provides a clear understanding of Web services.
- Looking for shortcuts and helpful developer tips? Visit our Tip Exchange for time-saving XML and .NET tips.
- Visit our huge Best Web Links for Web Services for hand-picked resources by our editors.
- Discuss this article, voice your opinion or talk with your peers in our Discussion Forums.
- Visit Ask the Experts for Web services, SOAP, WSDL, XML, .NET, Java and EAI answers.