Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

Difference between revisions of "XML Security Tools Proposal"

(Contribution)
(Description)
 
(17 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
== Background ==
 
== Background ==
  
Background information regarding the reason for the project and some high level goals.
+
XML is available almost everywhere nowadays. As configuration files, for data exchange, in XML enabled databases, web services and many more. And a lot of these applications and services do not secure their XML documents: neither encryption nor digital signatures are applied. Or standard transport security like https is used. This destroys the advantages of XML and prevents parsing.
  
* Provide goals
+
XML Security provides many advantages: the XML structure of the XML document remains intact, independent of the applied signature or encryption (or both). Arbitrary elements or element content can be secured, with different keys if desired. XML Security provides end-to-end-security, applying security directly to the message (information), not to the transport.
 +
 
 +
The XML Security Tools will show developers, how to secure XML documents and enable them to use these security features in their own environment. The intention of the tool is to spread the use of XML Security and to show users the power of the W3C recommendations.
  
 
== Description ==
 
== Description ==
  
Provide an overall description of the project.
+
The XML Security Tools will be based on a contribution from the XML-Security Plug-In project. This project was created by Dominik Schadow and is hosted on SourceForge. The goal of this project is to provide trained and untrained users and developers an easy access to XML Security: wizards and views to sign, verify, encrypt and decrypt arbitrary XML documents in different (XML) editors. The intention for the plug-in therefore was to teach users all about XML Security and to enable all users to easily secure their own XML documents. The plug-in is not only focused on e-learning, the XML Security tools can be used in a production environment too.
 +
 
 +
The XML-Security Plug-In uses the Apache XML Security API (Santuario) for securing XML documents. The included extensive online help enables new users to learn all about XML Security. The plug-in has an English GUI; the help files are completely in German.
 +
 
 +
Both W3C recommendations do not implement or require any new crypto algorithms that are not commonly available (the recommendations require some well known algorithms and recommend some more (optional) other). Apache Santuario does not offer or require any algorithm implementation; neither does the XML-Security Plug-In.
 +
 
 +
The algorithms that are required by both W3C recommendations are available in a standard Java installation (maybe not with the maximum strength). Of course crypto libraries like BouncyCastle can be used as well, which offer some more algorithms.
  
 
== Organization ==
 
== Organization ==
  
We propose sources under EPL for initial contribution, including customizable encrypting and decrypting of XML files based on the W3C XML Encryption specification.
+
We propose sources under EPL for initial contribution, including customizable signing, verifying, encrypting and decrypting of XML files based on the W3C XML Signature, XML Encryption and other related specifications.
  
XML Security Tools features are organized into different topics :
+
XML Security Tools features are organized into different topics:
 +
 
 +
* XML Digital Signatures and Verification
 +
 
 +
* XML Encryption and Decryption
 +
 
 +
* Utils like Canonicalization, key generation
  
  
Line 26: Line 40:
 
== Contribution ==
 
== Contribution ==
  
Contribution will consist in an initial set of source plugins :
+
The contribution will consist of an initial set of source plug-ins based on the [http://sourceforge.net/projects/xml-security XML-Security Plug-In]
  
[http://sourceforge.net/projects/xml-security Current home of the Eclipse XML Security Plugins]
+
'''de.xmlsicherheit'''
  
* de.xmlsicherheit
 
 
''The core plug-in (several wizards, view, preference pages).''
 
''The core plug-in (several wizards, view, preference pages).''
* de.xmlsicherheit.help
+
 
 +
'''de.xmlsicherheit.help'''
 +
 
 
''Help contents (information about the W3C recommendations on XML security and a plug-in guide), completely in German.''
 
''Help contents (information about the W3C recommendations on XML security and a plug-in guide), completely in German.''
* org.apache.xalan
+
 
 +
'''org.apache.xalan'''
 +
 
 
''Apache Xalan, required by org.apache.xml.security and de.xmlsicherheit.''
 
''Apache Xalan, required by org.apache.xml.security and de.xmlsicherheit.''
* org.apache.xml.security
+
 
 +
'''org.apache.xml.security'''
 +
 
 
''Apache XML Security (Santuario).''
 
''Apache XML Security (Santuario).''
* de.xmlsicherheit.feature
+
 
 +
'''de.xmlsicherheit.feature'''
 +
 
 
''Feature containing all four plug-ins.''
 
''Feature containing all four plug-ins.''
  
Line 56: Line 77:
 
=== Component lead/Committer ===
 
=== Component lead/Committer ===
 
*[mailto:info@xml-sicherheit.de Dominik Schadow]
 
*[mailto:info@xml-sicherheit.de Dominik Schadow]
''Dominik is the developer of the XML-Security Plug-In, the Eclipse e-learning plug-in for XML security, and has been working with XML Security for several years now. He is also the lead of the JCrypTool project which develops a cryptography e-learning RCP.''
+
''Dominik is the developer of the XML-Security Plug-In, the Eclipse e-learning plug-in for XML security, and has been working with XML Security for several years now. He is also the lead of the JCrypTool project, which develops a cryptography e-learning rich client based on the Eclipse Rich Client Platform.''
  
 
=== Committers ===
 
=== Committers ===
Line 66: Line 87:
 
The Web Services, SOA, and XML communities are obviously the main target and audience for this component. We are expecting and will actively pursue during the proposal and incubation phases, active participation.
 
The Web Services, SOA, and XML communities are obviously the main target and audience for this component. We are expecting and will actively pursue during the proposal and incubation phases, active participation.
  
 +
* [http://www.starstandard.org/ Standards for Technology in Automotive Retail] - in business to business web services, there is a need at times to do payload as well as indiviual element encryption.  The [http://www.w3.org/Encryption/2001/ XML Encryption] and [http://www.w3.org/Signature/ XML Digital Signature] specifications play a vital role in many Web Service specifications.
  
 
== User community ==
 
== User community ==
  
The existing Web Service and XML developer/user community will be the primary user base.
+
The existing Web Service and XML developer/user community will be the primary user base. The XML-Security Plug-In already has a (smaller) user community, mainly located in the educational area.  Beyond education the XML-Security Plug-In can be of benefit in the following software stacks:
 +
 
 +
* Service Orient Architecture
 +
* Web Services
 +
** Encryption of SOAP Headers and Payloads
 +
** Encryption of REST, and XML over HTTP web services.
 +
* General Security of XML file content.
  
 
== Links ==
 
== Links ==
* [http://sourceforge.net/projects/xml-security Eclipse XML Security]
+
* [http://sourceforge.net/projects/xml-security XML-Security Plug-In]
* [http://www.w3.org/TR/xmlenc-core/ W3C XML Encryption Specification]
+
* [http://www.xml-sicherheit.de XML Security]
 +
* [http://www.w3.org/TR/xmldsig-core/ W3C XML Signature Recommendation]
 +
* [http://www.w3.org/TR/xmlenc-core/ W3C XML Encryption Recommendation]
 
* [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss OASIS WS-Security]
 
* [http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss OASIS WS-Security]
* [http://www.w3.org/TR/xmldsig-core/ W3C XML Digital Signature Specification]
 

Latest revision as of 15:06, 2 September 2008

The XML Security Tools is a proposed open source component under the Eclipse Web Tools Project.

This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process document) and is written to declare its intent and scope. This proposal is written to solicit additional participation and input from the Eclipse community. You are invited to comment on and/or join the component. Please send all feedback to the Web Tools newsgroup.

The initial contribution pdf document is available .

Background

XML is available almost everywhere nowadays. As configuration files, for data exchange, in XML enabled databases, web services and many more. And a lot of these applications and services do not secure their XML documents: neither encryption nor digital signatures are applied. Or standard transport security like https is used. This destroys the advantages of XML and prevents parsing.

XML Security provides many advantages: the XML structure of the XML document remains intact, independent of the applied signature or encryption (or both). Arbitrary elements or element content can be secured, with different keys if desired. XML Security provides end-to-end-security, applying security directly to the message (information), not to the transport.

The XML Security Tools will show developers, how to secure XML documents and enable them to use these security features in their own environment. The intention of the tool is to spread the use of XML Security and to show users the power of the W3C recommendations.

Description

The XML Security Tools will be based on a contribution from the XML-Security Plug-In project. This project was created by Dominik Schadow and is hosted on SourceForge. The goal of this project is to provide trained and untrained users and developers an easy access to XML Security: wizards and views to sign, verify, encrypt and decrypt arbitrary XML documents in different (XML) editors. The intention for the plug-in therefore was to teach users all about XML Security and to enable all users to easily secure their own XML documents. The plug-in is not only focused on e-learning, the XML Security tools can be used in a production environment too.

The XML-Security Plug-In uses the Apache XML Security API (Santuario) for securing XML documents. The included extensive online help enables new users to learn all about XML Security. The plug-in has an English GUI; the help files are completely in German.

Both W3C recommendations do not implement or require any new crypto algorithms that are not commonly available (the recommendations require some well known algorithms and recommend some more (optional) other). Apache Santuario does not offer or require any algorithm implementation; neither does the XML-Security Plug-In.

The algorithms that are required by both W3C recommendations are available in a standard Java installation (maybe not with the maximum strength). Of course crypto libraries like BouncyCastle can be used as well, which offer some more algorithms.

Organization

We propose sources under EPL for initial contribution, including customizable signing, verifying, encrypting and decrypting of XML files based on the W3C XML Signature, XML Encryption and other related specifications.

XML Security Tools features are organized into different topics:

  • XML Digital Signatures and Verification
  • XML Encryption and Decryption
  • Utils like Canonicalization, key generation


The primary focus of the XML Security Tools component will be on extensibility & robustness of basic features.

Contribution

The contribution will consist of an initial set of source plug-ins based on the XML-Security Plug-In

de.xmlsicherheit

The core plug-in (several wizards, view, preference pages).

de.xmlsicherheit.help

Help contents (information about the W3C recommendations on XML security and a plug-in guide), completely in German.

org.apache.xalan

Apache Xalan, required by org.apache.xml.security and de.xmlsicherheit.

org.apache.xml.security

Apache XML Security (Santuario).

de.xmlsicherheit.feature

Feature containing all four plug-ins.

Tentative Plan

  • Initial Eclipse.org presence in ??? 2008
    • website
    • CVS repository, seeded with source code from current contribution
    • Bugzilla repository
  • v0.5: ??? 2009

Initial committers and contributors

The initial committers will initially focus on providing an open, well documented API. Our agile development process will follow eclipse.org's standards for openness and transparency. Our goal is to provide the infrastructure and APIs needed to allow the integration/generation of additional model search engines.We also plan to help improve the Eclipse platform by submitting patches and extension point suggestions. The initial team will consist of several part-time resources:

Component lead/Committer

Dominik is the developer of the XML-Security Plug-In, the Eclipse e-learning plug-in for XML security, and has been working with XML Security for several years now. He is also the lead of the JCrypTool project, which develops a cryptography e-learning rich client based on the Eclipse Rich Client Platform.

Committers

  • David Carver - Standards for Technology in Automotive Retail

David is one of the committers on the XSL Tools incubator project. He has been working on the content assistance and XPath parsing abilities. He is also mentoring the XQuery Summer of Code project. He works daily with wide variety of XML related technologies for the Automotive retail industry.

Interested parties

The Web Services, SOA, and XML communities are obviously the main target and audience for this component. We are expecting and will actively pursue during the proposal and incubation phases, active participation.

User community

The existing Web Service and XML developer/user community will be the primary user base. The XML-Security Plug-In already has a (smaller) user community, mainly located in the educational area. Beyond education the XML-Security Plug-In can be of benefit in the following software stacks:

  • Service Orient Architecture
  • Web Services
    • Encryption of SOAP Headers and Payloads
    • Encryption of REST, and XML over HTTP web services.
  • General Security of XML file content.

Links

Back to the top