John Merrells of SXIP and others have been asking for an update on my XML-RSIG (as in "really simple XML signatures") proposal. Here you are...

Phil Brooke so far has produced the most comprehensive paper on XML-RSIG, at 14 pages! (it's in PDF, download here). He performed a systematic evaluation and suggests a number of improvements, such as:

• converting the last white-space character of lines to hexadecimal form, such as  , in order to prevent OpenPGP from removing trailing white space
• using ASCII-armored signatures only
• making a signature node generally the first child node of a parent, in order to optimize processing
• including any included content from an XInclude statement when processing the signature
• always use UTF-encoding
• signing and verification operations should be in "text" mode.

His paper is worth reading. It appears that he has not found any XML-RSIG show-stoppers in his experiments, and I very much appreciate his suggestions.

Also, John Kemp told me about a recent article he wrote titled "XML Signatures in PHP", which makes the case that while XML-DSig is hard, it is maybe not as hard as some people may think. He has some example code how to connect Aleksey Sanin's XML Security Library to PHP, and use it to sign XML in a web context, e.g. from PHP, using XML-DSig.

Based on this and previous feedback, I'll produce a revised proposal some time soon.