176 Chapter 5 " XML Digital Signatures Issues such as this one are extremely important to consider if you are a soft- ware developersay, for example, if you are creating a secure e-mail application that uses XML digital signatures behind the scene so that the user never actually sees the XML. You will probably see an increase in the use of encryption and digital signa- tures when both the XML encryption and XML digital signature specifications are finalized.They both provide a well-structured way in which to communicate each respective process, and with ease of use comes adoption. Encryption ensures that confidential information stays confidential through its perilous journey over the Internet, and digital signatures ensure that you are communicating with the person you think you are communicating with and that the data has not been altered.Yet both these specifications have some evolving to do, especially when they are used concurrently. Currently, there is no way to determine if a document that was signed and encrypted was signed using the encrypted or unencrypted version of the document.Typically, these little bumps find a way of smoothing themselves out over time. Vendor Toolkits Several toolkits are available for working with XML digital signatures.The fol- lowing is a partial list of useful tools. Be aware that the standard does not specify the API for any toolkits; it only defines the behavior of the libraries. Consequently, the APIs can differ between toolkits and are subject to change between releases for a given toolkit.The current versions of the open tools are available at ftp://ftp.taygeta.com/pub/xml.Take a look at these toolkits: n http://xml.apache.org/security/  Provides Java software that imple- ments a suggested programming API for the creation and verification of arbitrary forms of XML signatures. n http://www.aleksey.com/xmlsec/  This is the XML Security Library, an excellent C library implementation of an XML digital signa- ture API.This software package includes a demonstration front-end pro- gram, xmlsec, which can be used for the creation and verification of digital signatures from the command line. Most examples demonstrated in this chapter were created with the use of xmlsec. n http://xmlsoft.org/XSLT/  This is the XSLT C library for Gnome. This library implements the XML XSLT language. It is part of the Gnome project (hence the name), but it does not require Gnome in www.syngress.com