The best book on this topic ever!
I have spent many hours on WS-Security, and this book was what finally got me up to speed on XML security.
Don Eastlake is an old IEFT head. He did a great job with this book both in completeness and explanation. It is complete in that he covers everything. The explanations are clear with good examples.
I would note in passing, however, that you should consider the use of Fast Infoset, where the XML instance documents are replaced by ASN.1 instance documents. That is, if you serialize and deserialize based on an XSD, you are usually better off using the Fast Infoset approach. This can have an improvement of 40% smaller instance documents and 40% faster processing. This is a big win. See "Fast Infoset" in the Wikipedia. ASN.1 security is trivial because the RSA PKCS CMS specifications are all in ASN.1, using digitial signatures and encryption.
For an executive novice, this book shines
In researching business requirements for enterprise web services, it soon became obvious that XML security would be an important issue.I happened across this book, with a seemingly simple format and am impressed with the information it provides, the progression of information, and how well I was able to understand and comprehend the concepts detailed.
After reading serveral books on XML in general, I would recommend this book to anyone just wanting to learn XML concepts.
I wish more technical books gave me the same feeling of usefulness that this one gave me.
As they say in the movie industry... "An enthusiastic thumbs up"
A much-needed book
This is a great book. I rarely give a book 5 stars, but this one has earned it.The author's technical and standards body background is a tremendous help in helping the reader sort out the substance from the hype. This book covers XML and cryptography basics, DTDs, XML Schema, XML digital signatures and encryption, and SOAP.
I like the author's comparisons of XML with other encoding schemes, particularly ASN.1 DER which is prevalent in the security standards world.
Also helpful are the author's "soapbox" comments, which handily dispel the notion that you should accept all parts of a standard as the absolute truth and the final word. For example, "X.500 identities are baroque hierarchical names in which each level of the hierarchy consists of an arbitrary, unordered set of attribute-value pairs. They are just one of the complexities and false assumptions (such as the assumption that everyone would allow themselves to be listed in one global public directory, including companies listing all their employees) that doomed the X.500 Directory as originally conceived". I love it!
You'd be hard pressed to go wrong with this book.
With extensive discussion and practical examples
Collaboratively written by Donald Eastlake (Co-chair of the joint IETF/W3C XML Digital Signature working group) and freelance technical writer Kitty Niles, Secure XML: The New Syntax for Signatures and Encryption is a solid, accessible, step-by-step guide to the processes for encrypting and ensuring security of XML applications. Individual chapters competently address canonicalization and authentication, encryption, cryptographic and non-cryptographic algorithms, and much, much more. Highly recommended for advanced XML users, Secure XML is a comprehensive, technically proficient, and detailed instructional resource and reference filled from cover to cover with extensive discussion and practical examples.
XML and cryptography?
Suppose you have XML data that you want to regularly
send to Bob, across the Internet. But it is of a
confidential nature, so you don't want to send it as
plaintext. Well, you can try using low level
encryptions, like SSL or TLS. But these don't give any
authentication, ie. Bob can't tell that you actually
sent them. Also, once Bob gets the messages, they are
all in plaintext, so he can't easily protect these
against others, if he is on a multiuser computer.One answer is to incorporate encryption into XML, by
defining cryptographic standards that sit atop XML,
and generate XML documents with encrypted data. These
let you and Bob use powerful XML-based routines like
XPath, XLink and XPointer. Plus, you can now do things
like append your digital signature to your plaintext
file, encrypt the combination with Bob's public key,
and get a resultant XML document that you can send
Bob. Upon receipt, he can decrypt it and verify that
you are the author, all the while dealing with XML
documents.
This book explains the emerging XML standards that
make this possible. They discuss at a high level the
various cryptographic algorithms, like AES [Advanced
Encryption Standard], Diffie-Hellman and MD5. Little
mathematics is needed, as they leave the mechanics of
the algorithms to other books. Instead, they describe
the XML infrastructure that uses these.
The book has a necessarily comprehensive description
of canonicalisation; which refers to the rewriting of
an XML document in a standard form, prior to
encryption. Otherwise two semantically identical
documents would give different ciphertexts, which is
confusing.
If you have been wondering if you should encrypt your
XML documents, and how to do so, this book may clarify
many issues.
