Secure XML: The New Syntax for Signatures and Encryption
ASIN: 0201756056
Average Customer Review: 5.0, based on 8 reviews.
Customer reviews (5 of 8)
For an executive novice, this book shines, 2003-03-18, Rating: 5.
In researching business requirements for enterprise web services, it soon became obvious that XML security would be an important issue.<p>I happened across this book, with a seemingly simple format and am impressed with the information it provides, the progression of information, and how well I was able to understand and comprehend the concepts detailed.<p>After reading serveral books on XML in general, I would recommend this book to anyone just wanting to learn XML concepts.<p>I wish more technical books gave me the same feeling of usefulness that this one gave me.<p>As they say in the movie industry... "An enthusiastic thumbs up"
A much-needed book, 2003-02-12, Rating: 5.
This is a great book. I rarely give a book 5 stars, but this one has earned it.<p>The author's technical and standards body background is a tremendous help in helping the reader sort out the substance from the hype. This book covers XML and cryptography basics, DTDs, XML Schema, XML digital signatures and encryption, and SOAP.<p>I like the author's comparisons of XML with other encoding schemes, particularly ASN.1 DER which is prevalent in the security standards world. <p>Also helpful are the author's "soapbox" comments, which handily dispel the notion that you should accept all parts of a standard as the absolute truth and the final word. For example, "X.500 identities are baroque hierarchical names in which each level of the hierarchy consists of an arbitrary, unordered set of attribute-value pairs. They are just one of the complexities and false assumptions (such as the assumption that everyone would allow themselves to be listed in one global public directory, including companies listing all their employees) that doomed the X.500 Directory as originally conceived". I love it!<p>You'd be hard pressed to go wrong with this book.
With extensive discussion and practical examples, 2002-10-08, Rating: 5.
Collaboratively written by Donald Eastlake (Co-chair of the joint IETF/W3C XML Digital Signature working group) and freelance technical writer Kitty Niles, Secure XML: The New Syntax for Signatures and Encryption is a solid, accessible, step-by-step guide to the processes for encrypting and ensuring security of XML applications. Individual chapters competently address canonicalization and authentication, encryption, cryptographic and non-cryptographic algorithms, and much, much more. Highly recommended for advanced XML users, Secure XML is a comprehensive, technically proficient, and detailed instructional resource and reference filled from cover to cover with extensive discussion and practical examples.
XML and cryptography?, 2002-10-07, Rating: 5.
Suppose you have XML data that you want to regularly
send to Bob, across the Internet. But it is of a
confidential nature, so you don't want to send it as
plaintext. Well, you can try using low level
encryptions, like SSL or TLS. But these don't give any
authentication, ie. Bob can't tell that you actually
sent them. Also, once Bob gets the messages, they are
all in plaintext, so he can't easily protect these
against others, if he is on a multiuser computer.<p>One answer is to incorporate encryption into XML, by
defining cryptographic standards that sit atop XML,
and generate XML documents with encrypted data. These
let you and Bob use powerful XML-based routines like
XPath, XLink and XPointer. Plus, you can now do things
like append your digital signature to your plaintext
file, encrypt the combination with Bob's public key,
and get a resultant XML document that you can send
Bob. Upon receipt, he can decrypt it and verify that
you are the author, all the while dealing with XML
documents.<p>This book explains the emerging XML standards that
make this possible. They discuss at a high level the
various cryptographic algorithms, like AES [Advanced
Encryption Standard], Diffie-Hellman and MD5. Little
mathematics is needed, as they leave the mechanics of
the algorithms to other books. Instead, they describe
the XML infrastructure that uses these.<p>The book has a necessarily comprehensive description
of canonicalisation; which refers to the rewriting of
an XML document in a standard form, prior to
encryption. Otherwise two semantically identical
documents would give different ciphertexts, which is
confusing.<p>If you have been wondering if you should encrypt your
XML documents, and how to do so, this book may clarify
many issues.
send to Bob, across the Internet. But it is of a
confidential nature, so you don't want to send it as
plaintext. Well, you can try using low level
encryptions, like SSL or TLS. But these don't give any
authentication, ie. Bob can't tell that you actually
sent them. Also, once Bob gets the messages, they are
all in plaintext, so he can't easily protect these
against others, if he is on a multiuser computer.<p>One answer is to incorporate encryption into XML, by
defining cryptographic standards that sit atop XML,
and generate XML documents with encrypted data. These
let you and Bob use powerful XML-based routines like
XPath, XLink and XPointer. Plus, you can now do things
like append your digital signature to your plaintext
file, encrypt the combination with Bob's public key,
and get a resultant XML document that you can send
Bob. Upon receipt, he can decrypt it and verify that
you are the author, all the while dealing with XML
documents.<p>This book explains the emerging XML standards that
make this possible. They discuss at a high level the
various cryptographic algorithms, like AES [Advanced
Encryption Standard], Diffie-Hellman and MD5. Little
mathematics is needed, as they leave the mechanics of
the algorithms to other books. Instead, they describe
the XML infrastructure that uses these.<p>The book has a necessarily comprehensive description
of canonicalisation; which refers to the rewriting of
an XML document in a standard form, prior to
encryption. Otherwise two semantically identical
documents would give different ciphertexts, which is
confusing.<p>If you have been wondering if you should encrypt your
XML documents, and how to do so, this book may clarify
many issues.
The book on XML security, 2002-09-30, Rating: 5.
When you read the XML specification, you will notice that it contains no notion of security. Critical security functionalities such as encryption, digital signatures, and authentication are simply not part of the XML standard. XML is similar to many other protocols, languages, and operating systems in that it was originally developed without any thought to security and privacy. It is only after serious security vulnerabilities are discovered and publicized that they are patched. But this find, patch, fix mentality of information security is dangerous in that security problems can exist for months or years before they are found.<p>Similarly within XML, much of the security functionality has been added post- facto, namely in Canonical XML, XML Signature, and XML Encryption Syntax and Processing. By adding security to the core feature set of XML, the W3C has ensured that,
to a degree, the find, patch, fix method won't be the manner in which XML security is developed. A good reference book can help you navigate this XML security landscape. <p>Topics such as authentication, encryption, XML signatures, algorithms, and keying are discussed. For the most part, the bulk of XML security is covered.<p>Donald Eastlake, the lead author of Secure XML: The New Syntax for Signatures and Encryption, is the co-chairman of the joint IETF/W3C XML Digital Signature working group, a member of the W3C Encryption and W3C XML Key Management System working groups, and co-author of the XML Digital Signature, XML Encryption, and XML Exclusive Canonicalization standards. It is clear that Eastlake lives and breathes XML. As Eastlake is a writer of numerous W3C XML standards, and standards are often written in a terse and abstract manner; his book has a slightly stiffer writing style than XML Security. If you can get over this style, you can appreciate the comprehensive and uthoritative look at XML the book provides from one of the key architects of the syntax. <p>Secure XML covers and details every XML security feature. Also, it spends a lot of time giving examples of syntax and language use. This is especially so in chapter 9, XML Canonicalization - The Key to Robustness. Canonicalization is the extraction of the standard form of some data and the discarding of insignificant aspects of the data's surface representations. The book notes that getting the right canonicalization is one of the most important, yet difficult aspects of digital authentication within XML. Chapter 10 goes into great detail about XML signatures and authentication. The chapter gives numerous code examples of various contexts, schemas, and elements that readers can use on their own XML servers. Chapter 10 also has numerous notes and historical information about XML security with information that can't be found elsewhere.
to a degree, the find, patch, fix method won't be the manner in which XML security is developed. A good reference book can help you navigate this XML security landscape. <p>Topics such as authentication, encryption, XML signatures, algorithms, and keying are discussed. For the most part, the bulk of XML security is covered.<p>Donald Eastlake, the lead author of Secure XML: The New Syntax for Signatures and Encryption, is the co-chairman of the joint IETF/W3C XML Digital Signature working group, a member of the W3C Encryption and W3C XML Key Management System working groups, and co-author of the XML Digital Signature, XML Encryption, and XML Exclusive Canonicalization standards. It is clear that Eastlake lives and breathes XML. As Eastlake is a writer of numerous W3C XML standards, and standards are often written in a terse and abstract manner; his book has a slightly stiffer writing style than XML Security. If you can get over this style, you can appreciate the comprehensive and uthoritative look at XML the book provides from one of the key architects of the syntax. <p>Secure XML covers and details every XML security feature. Also, it spends a lot of time giving examples of syntax and language use. This is especially so in chapter 9, XML Canonicalization - The Key to Robustness. Canonicalization is the extraction of the standard form of some data and the discarding of insignificant aspects of the data's surface representations. The book notes that getting the right canonicalization is one of the most important, yet difficult aspects of digital authentication within XML. Chapter 10 goes into great detail about XML signatures and authentication. The chapter gives numerous code examples of various contexts, schemas, and elements that readers can use on their own XML servers. Chapter 10 also has numerous notes and historical information about XML security with information that can't be found elsewhere.
Projects