The operational model for securing XML documents    

  Above figures illustrates the relationship between XML, DSL, and the DSL securing tool. Figure A shows the process of encrypting and embedding digital signatures. The encryption and digital signature details are stored in a DSL document comprising D_P, D_T, and D_Sig. D_P is the security pattern definition that specifies the combination of security algorithms and encryption and decryption keys, the transformation description definition D_T specifies the actual data transformation of the element-wise encryption, and D_Sig specifies how to embed digital signatures in the resulting XML document. The target XML document that is ready to be encrypted and signatured (or signed) is X. The corresponding schema of X is S. The DSL securing tool reads, parses, and analyzes D_P, D_T, D_Sig, and X, and then generates X_s, S', and D_P’. X_s is still an XML document, but some of its elements contain ciphertexts which are translated by the DSL securing tool according to the encryption details recorded in D_P and D_T. In addition to the encrypted elements, X_s also contains signatures that are embedded by the DSL securing tool. Each signature signs a portion of the data in X. It should be noted that both D_P and D_P’  may actually contain different information: D_P holds information describing how to encrypt X, whereas D_P’ should include details of how to decrypt X_s. The essential feature of the relation between D_P and D_P’  is that the DSL securing tool generates D_P’ according to D_P. S' is the modified schema that recognizes the encrypted document X_s.

  The DSL securing tool also performs the reverse work of decryption and digital signature verification (see Figure B). This process has the opposite effect to that performed by the DSL securing tool in Figure A: X_s, D_P’, D_Sig and read, parsed, and analyzed by the DSL securing tool. The DSL securing tool decrypts some or all of the ciphertexts contained in X_s, and generates X'. The important point to note is that X' is equal to X only if the DSL securing tool has all the required keys and algorithms for decrypting all the ciphertexts in X_s. If the user cannot obtain some of the necessary keys (usually private keys), then some of the elements that contain ciphertexts in X_s will remain secured. Also, the DSL securing tool should report the results of digital signature verification according to the related information in X_s and D_Sig.