Now, here is an interesting talking point: XML Encryption (XMLEnc) is bad.
“Why?”, you might ask. Well, in their lack of infinite wisdom, the XML encryption community left out a very important concept: Authenticated Encryption, i.e. combining signatures and encryption to produce ciphertext that maintains confidentiality and can be associated with a key (i.e. a subject/identity/principal/whatever). Section 6.1 in XMLEnc-Core reads:
“The application of both encryption and digital signatures over portions of an XML document can make subsequent decryption and signature verification difficult.”
“[…] the interaction of encryption and signing is an application issue and out of scope of the specification.”
So, essentially, AE is left as an exercise to the reader. This is not good, particular since AE is not too complex, and – in fact – quite well understood. See RFC 3961 (Kerberos) or “Authenticated Encryption …” by M. Bellare et al.
Without AE, XML encryption is not complete and – for many real security applications – useless.
CMS also (RFC3852) gets it right, so what’s XMLenc’s excuse?