The World Wide Web Consortium (W3C) has issued the XML Encryption Syntax and Processing specification and the Decryption Transform for XML Signature as W3C Recommendations, representing cross-industry agreement on an XML-based approach for securing XML data in a document.
A W3C Recommendation indicates that a specification is stable, contributes to Web interoperability, and has been reviewed by the W3C Membership, who favor its widespread adoption.
Encryption is the process of scrambling information such that it is only readable by intended recipients, after unscrambling. While an encrypted message or file may be accessible to a wide community, such as network intermediaries, it is not meaningful to those intermediaries, or to eavesdroppers who may be watching information packets travel across a network. Encrypted data has been rendered opaque by mathematically encrypting it in a way that makes it unreadable to anyone except those possessing the secret, or "key" to decrypt it.
When exchanging sensitive data (e.g., financial or personal information) over the Internet, senders and receivers require secure communications. Although there are deployed technologies that allow senders and receivers to secure a complete data object or communication session, only W3C XML Signature (together with the new W3C XML Encryption Recommendation) permits users to selectively sign and encrypt portions of XML data. For example, a user of a Web services protocol such as SOAP may want to encrypt the payload part of the XML message but not the information necessary to route the payload to its recipient. Or, an XForms application might require that the payment authorization be digitally signed, and the actual payment method, such as a credit card number, be encrypted. And, of course, XML Encryption can be used to secure complete data objects as well such as such as an image or sound file.
The associated "Decryption Transform for XML Signature" Recommendation permits one to use encryption with XML Signature. One feature of XML Signature is to ensure a document's integrity: to detect if the document is altered. However, many applications require the ability to first sign an XML document and then encrypt parts of it, altering the document. The Decryption Transform lets the receiver know which portions of the document to decrypt, restoring the document to its unaltered state, before it can check the signature.
Numerous applications and other specifications are already utilizing XML Encryption, as shown in the Implementation and Interoperability Report filed by the W3C XML Encryption Working Group. In particular, Web services specifications that need to secure their payloads will be utilizing this Recommendation. Many companies have stated support and plans to implement XML encryption.
XML Encryption was developed by the W3C XML Encryption Working Group, consisting of both individuals and the following W3C Members: Baltimore Technologies; BEA Systems; DataPower; IBM; Microsoft; Motorola; University of Siegen; Sun Microsystems; and VeriSign.