XML Signatures are a bad idea executed even worse
Let’s say you’re going to send Bob a message, and you want Bob to know it’s you that sent the message just by looking at the message. You’ll probably
Software engineers circa 2002 were committed to making their lives difficult, and a cornerstone of this masochism was by doing everything with XML if at all possible. XML was hot. People were using its CSS-type thing and transformation language. There were like a dozen competing schema specs. Conferences with keynotes. Super cool.
So let’s repeat the above situation, but we’re going to pretend it’s 2002. Instead of reinventing the JWT, you’re gonna use the preferred standard of the time: XML Signatures. Conceptually, it works the same way, because there’s really only one way to skin this cat: convert message to bytes, sign bytes, send both to Bob.
The joke here is that we’re pretending it’s 2002, but I assure you this story is relevant today. At bigger companies, employees log into all their software from tools like Okta or Microsoft Entra. That works using a decentralized, XML-flavored protocol called SAML. SAML relies entirely on XML Signatures to prove message authenticity. (At SSOReady, we’re in the business of making SAML a breeze to implement, which is why we care about it.)
