The W3C has published XML-Signature Syntax and Processing as a Recommendation, and Exclusive XML Canonicalization Version 1.0 as a Candidate Recommendation.

While its patent status is unclear, the advance of XML Signature to a W3C Recommendation (and eventually an IETF RFC) should make it easier to create systems which exchange XML documents securely. XML Signature addresses some key parts of XML document transmission, though it doesn't solve the entire set of problems:

"The XML Signature is a method of associating a key with referenced data (octets); it does not normatively specify how keys are associated with persons or institutions, nor the meaning of the data being referenced and signed. Consequently, while this specification is an important component of secure XML applications, it itself is not sufficient to address all application security/trust concerns, particularly with respect to using signed XML (or other data formats) as a basis of human-to-human communication and agreement. Such an application must specify additional key, algorithm, processing and rendering requirements."

Exclusive XML Canonicalization addresses issues raised near the end of the creation of Canonical XML. It makes it possible to "exclude unused ancestor context from a canonicalized subdocument," effectively canonicalizing only the information relevant to that portion. This permits comparison of the signatures of subdocuments from different parent contexts .

Related stories:

• First release of Apache XML Security Software
• XML-Signature to Proposed Recommendation
• Exclusive XML Canonicalization