November 2002 - Secure Reads - Secure XML: The New Syntax for Signatures and Encryption


	November 2002 Secure Reads Secure XML: The New Syntax for Signatures and Encryption Reviewed by Patrick Mueller Donald E. Eastlake III & Kitty Niles Addison Wesley, 2002 Price: $44.99 Securing XML--eXenstible Markup Language--entails more than end-to-end encryption of a transport stream. If the requirements were that simple, we could just drop in SSL or an encrypted tunnel. But the complex requirements of next-generation data exchange systems call for advanced features, including encrypting and/or signing of individual fields within an XML document to be submitted by an end user filling out an online form. More complicated is an e-business exchange using PKI-based digital signatures with third-party verification requirements, as well as storing and archiving of document transactions and individual fields therein. Secure XML provides a comprehensive guide to the security protocols and schemes that have grown up around XML, the Web and open transaction protocol that continues its amazing adoption rate. Unfortunately, the story of the XML security mechanism's design process is all too familiar: completely left out of the initial criteria and built in as an afterthought, creating some avoidable drawbacks. A good chunk of Secure XML is dedicated to background concepts, theory and application of XML in general, making Secure XML almost a one-stop shop for those new to the language and needing to ramp up quickly in its security features. Proper attention is paid to the intricacies of the language upon which the security components are built, such as "XPath," a data model for dealing with XML subdocuments. The book details the three major standards: XKMS (XML Key Management Specification), XMLDSIG (Signature Syntax and Processing) and XMLENC (XML Encryption Syntax and Processing), all defined by the World Wide Web Consortium (W3C), with help from the Internet Engineering Task Force (IETF). Each is covered in a clearly written, detailed fashion, complemented by a judicious use of diagrams and examples. "Soapboxes" scattered throughout the text are priceless, representing the true value of Donald Eastlake's and Kitty Niles's experience and insight. Appropriately marking these sections as "opinion" frees them from the confines of the pure, objective viewpoint of a technical book, and allows the reader to pull up a chair next to these resident XML gurus. Eastlake and Niles are close to the heart of the standards development process, commenting on the trends, history, arguments and wrong turns taken by the two powerful Internet standards bodies involved--W3C and IETF. A critical prerequisite to the XML security primitives (signatures and encryption) is canonicalization: the exacting, repeatable extraction of XML data into a standard format. Data must be processed the same way on both endpoints, otherwise digital signatures and encryption break down. That's problematic, because XML is a text-based format that wasn't designed with features such as canonicalization. For example, each of the following presents challenges: line-ending characters, spaces at the end of lines and different encodings for the same character. As one of the first major books on the topic, Secure XML is a pleasant surprise. Rather than rushing to market with a substandard book in hopes of gobbling up the dollars from an audience hungry for any information, the Secure XML team composed a first-rate work, which is recommendable to any XML developer or security engineer. PATRICK MUELLER, CISSP, is a book reviewer for Information Security and a security analyst for a Chicago-based security consulting firm. November 2002 Table of Contents Copyright 2002 TechTarget