Why XML signatures suck

This points to a well written analysis on what’s wrong with XML signatures.

“Imagine how this would end up in court: “Your honour,
although the plaintiff claims we signed this, we have 39 differently-
canonicalised forms that show we didn’t, 18 different namespace types that
prove the plaintiff is in fact at fault and not us, 7 applications of DTDs
that show beyond a doubt that they owe us the amount they’re claiming, and
four schemas whose use will clearly show that we have rights to their house
and car as well”.”

Add the european signature law, and this gets just plain unusable. The demand for a viewer that enforces “what you see is what you sign” is quite hard to satisfy.

I’d actually like to see a case like this in court, to be able to point out to standards committees and law makers alike how crazy this all is. If you want to know why digital signatures still haven’t caught on, this is a good example.


  1. Pingback: DeveloperZen.com
  2. Pingback: DeveloperZen.com
  3. Pingback: DeveloperZen.com

Leave a Reply

Your email address will not be published. Required fields are marked *