W3C LogoIETF Logo

Author: Joseph Reagle

Audience:  XML2000

Question: Overview of Signature


XML Signature

Joseph M. Reagle Jr.

IETF/W3C XML Signature Co-Chair

XML Signature Status

Design Principles/Goal

  1. The specification must describe how to use XML syntax to represent a signature over digital content (and XML content in particular).
  2. XML-signatures are generated from a hash over a list of references and the digest value of the references' content.
  3. The meaning of a signature is simple:  The XML-signature syntax associates the content of resources listed with a key via a strong one-way transformation.

Design Overview

    <Reference (URI=)? >

Design Example

[s01] <Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/02/xmldsig#"> 
[s02]   <SignedInfo> 
[s03]     <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000119"/> 
[s04]     <SignatureMethod Algorithm="http://www.w3.org/2000/02/xmldsig#dsa"/> 
[s05]     <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> 
[s06]       <Transforms> 
[s07]         <Transform Algorithm="http://www.w3.org/2000/02/xmldsig#c14n"/> 
[s08]       </Transforms> 
[s09]       <DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"/> 
[s10]       <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> 
[s11]     </Reference> 
[s12]   </SignedInfo> 
[s13]   <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> 
[s17] </Signature>

Features of Design

URI and Processing Model

Identifies the octets that represent the external resource 'http//example.com/bar.xml', that is probably XML document given its file extension.
Identifies the element with ID attribute value 'chapter1' of the external XML resource 'http://example.com/bar.xml', provided as an octet stream. (Not recommended)
Identifies the nodeset (minus any comment nodes) of the XML resource containing the signature
Identifies a nodeset containing the element with ID attribute value 'chapter1' of the XML resource containing the signature. XML Signature (and its applications) modify this nodeset to include the element plus all descendents including namespaces and attributes -- but not comments.


[s14]   <KeyInfo>
[s15a]    <KeyValue>
[s15b]      <DSAKeyValue>
[s15c]        <P>...</P><Q>...</Q><G>...</G><Y>...</Y>
[s15d]      </DSAKeyValue>
[s15e]    </KeyValue>
[s16]   </KeyInfo>


[p00] <Signature Id="MySecondSignature" ...> 
[p01]  <SignedInfo> ...
[p02]   <Reference URI="http://www.w3.org/TR/xml-stylesheet/">... 
[p03]   <Reference URI=" #AMadeUpTimeStamp "  
[p04]         Type="http://www.w3.org/2000/02/xmldsig#SignatureProperty">...
[p08]  </SignedInfo>  
[p09]  ...  
[p10]  <Object> 
[p11]   <SignatureProperties Id="AMadeUpTimeStamp"> 
[p12]     <SignatureProperty Target=" #MySecondSignature "> 
[p13]        <timestamp xmlns="http://www.ietf.org/rfcXXXX.txt">  
[p14]          <date>19990908</date>  
[p15]          <time>14:34:34:34</time>  
[p16]        </timestamp>  
[p17]     </SignatureProperty> 
[p18]   </SignatureProperties> 
[p19]  </Object>  


[s04]   <SignatureMethod Algorithm="http://www.w3.org/2000/02/xmldsig#dsa"/>

Type Algorithm Requirements Algorithm URI
Digest SHA1 REQUIRED http://www.w3.org/2000/09/xmldsig#sha1
Encoding Base64 REQUIRED http://www.w3.org/2000/09/xmldsig#base64 
MAC HMAC-SHA1 REQUIRED http://www.w3.org/2000/09/xmldsig#hmac-sha1
Signature DSAwithSHA1
REQUIRED http://www.w3.org/2000/09/xmldsig#dsa
Canonicalization CanonicalXML REQUIRED http://www.w3.org/TR/2000/WD-xml-c14n-20000907
Others XPath RECOMMENDED http://www.w3.org/TR/1999/REC-xpath-19991116

Near Future