santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arshad Noor <>
Subject Re: Basic questions re: jsr 105/106 &w3c stds and xmlsec
Date Sat, 10 Apr 2010 18:11:39 GMT
I'm sure a lot of specs are currently "dead" given the tight
economy and the fact that the remaining employed have double
or triple the work-load of better times - who can justify
many hours/days spent on standards as businesses are cutting
most non-revenue expenditures to the bone?

That said, I would like to affirm support for XML Encryption.
We have been using it for nearly 5 years and while it can use
a little improvement, if you are working in the XML world, it
offers a ready-made choice with supported libraries/tools.
How else would one transfer XML content with encrypted data
in it between systems/partners?  By the time you've defined
all the rules for the exchange of ciphertext, you've
reinvented a proprietary version of the XML Encryption XSD.
With the use of XMLENC, at least 90% of the work is done for
you and all you've got to define is the remaining 10%.

While IBM and Sun's JDKs might differ in their implementations
(I haven't personally looked at IBMs implementation so I can't
speak authoritatively on it), it only requires one large paying
customer to get both vendors to get their act together (if their
implementations are incompatible) - or a few committed engineers
within these companies to do what's right.

Yes, there is a need for XML Encryption and XML Signature - IMO
application developers are in their infancy wrt cryptography
and are writing some bizarre code (based on my readings at the
Cryptography forum at  As they mature, they will
realize the benefits of XML Signature and XML Encryption and
start using it - the refinements will surely come at that time.

In the meantime, I would prefer not to declare XMLENC dead -
having worked in cryptographic key-management for the last
decade, we believe the opportunities are just starting to
open up for this technology.

Arshad Noor
StrongAuth, Inc.

Mike Klein wrote:
> Jsr 105 (signing) is 'finalized' and jsr 106 (enc) seems 'dead'.
> I have a need to provide xml signing and enc across IBM and Sun JREs.
> I see xmlsec only mentions 105 compliance (perhaps because spec is final
> after all) and no real mention of 106 compliance (which makes sense as
> spec is 'dead').
> I am able to do certain kinds of xmlenc with xmlsec just fine, but is it
> based on any accepted standard at this point? Can xmlenc output from
> xmlsec be sent to 3rd parties w/o any issues?
> IBM jre seems to provide both kinds of functionality yet I don't believe
> this helps me on sun jre...seems bundled with jre.
> Is there even a need for xml enc on java or only sig?
> thanks in advance...
> mike

View raw message