Show me the code! – By Davanum Srinivas

July 31, 2007

Signing XML documents a "Revelation"?

Filed under: Uncategorized — Davanum Srinivas @ 1:22 pm

Agile Financial Publishing

Atomic Financial Publishing

Why is this such a *big* deal? And why has it taken the REST crowd so long to discover? Guess they do have some stuff to learn from us . We’ve been doing this for years.



  1. Questions:

    1) What year was the web invented?

    2) What year was signing of documents invented?

    3) What year was SOAP invented?

    4) What year was the first major company’s financial data released on the web using wss4j?

    Comment by Sam Ruby — July 31, 2007 @ 5:31 pm

  2. You have been doing it for years? Where? There are more SOAP stacks than there are SOAP services on the web, as the bonmot goes. These people, on the other hand, are actually doing it on the open web.

    That is a big deal.

    Comment by Aristotle Pagaltzis — July 31, 2007 @ 6:19 pm

  3. Aristotle,
    Wow! by all means celebrate the great achievement!! If you can’t even acknowledge “prior art”…

    Comment by davanum — August 1, 2007 @ 1:10 am

  4. Sam,
    You got me on #4. I guess the RSS/ATOM+Signed Documents for financial data has not yet happened either. Status Quo right? BTW, i had the exact same reaction when i saw the brouhaha over LDAP as a data store. BTW, Am not defending SOAP. I am just stating a fact that this has been done before and therefore no big deal. It’s catch up time!


    Comment by davanum — August 1, 2007 @ 1:17 am

  5. Signed documents have been done before; WS-* wasn’t the first to do it either. Who cares? The only thing that matters is what folks are actually doing now and what they’re going to do to make it better.

    Comment by James Snell — August 1, 2007 @ 10:27 am

  6. Actually, #1 and #2 predated #3.

    So… what is actually happening here? HTTP and digital signing have been around for a while, but the financial community has ignored them. Then SOAP came along, and bundled it all up, and … the financial community continues to ignore these protocols (at least on the public web).

    Now feeds come along. They lower the barrier to entry. Sure enough Sun stumbles a little bit initially, but quickly produces valid feeds, and sets action plans in place to correct the remaining issues.

    And, yes, those action plans involve things that predate SOAP.

    Comment by Sam Ruby — August 1, 2007 @ 10:54 am

  7. Prior art… well, RFC 4287 basically says “see XML DigSig/XML Encryption”, both of which were ratified in 2002. Can you point me to any WS-* efforts that predate them?

    Comment by Aristotle Pagaltzis — August 1, 2007 @ 2:04 pm

  8. Aristotle, Sam, Where did i say that SOAP predates XML DSig/XML Enc? Why is it so hard to ack that others have been using these for some time now and feeds are just starting to? and it’s no big deal since the technology has been around for some time? And that it is high time that it gets adopted?

    Comment by davanum — August 1, 2007 @ 8:27 pm

  9. I think time is better spent increasing the adoption of signed feeds and understand what worked for others who adopted the same specs for whatever they were doing. If there’s *any* interest in that, please let me know.

    Comment by davanum — August 1, 2007 @ 8:39 pm

  10. Dims, please keep in mind that some of us working in the signed-feed space were also involved in the signed-soap space long before the standards were finished.

    In any case, if you have specific suggestions on how to improve the signed feed experience and adoption, please share. I for one take this stuff very seriously and am more than willing to cough up the code necessary to make it work.

    Comment by James Snell — August 2, 2007 @ 12:07 am

  11. Dims, Where did I say that you said that SOAP predates XML DSig/XML Enc?


    Like James, I too was actively involved not only in the development of SOAP stacks, but specifically in the signing and encryption of SOAP envelopes.

    This makes your assertion about “they” and “us” a bit confusing.

    Comment by Sam Ruby — August 2, 2007 @ 5:57 am

  12. Sam, James,
    Touché! I apologize 🙂

    Example, Do you have a case for signing the feeds twice?


    Comment by davanum — August 2, 2007 @ 2:21 pm

  13. To this point no. What I have seen a case for, however, are feeds in which individual entries within the feed are signed as well as the feed.

    Comment by James Snell — August 3, 2007 @ 11:36 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at

%d bloggers like this: