This technical note describes how to use the XML Digital Signature Recommendation [XMLDSIG] in a way consistent with the present (fall 2006) XML environment. In particular, this note takes into account the recent xml:id Version 1.0 [XMLID] Recommendation, and work in progress towards a Canonical XML Version 1.1 [C14N11] Recommendation.
This note suggests constraints on the use of XML Signature, and relies on extension points present in the XML Digital Signature Recommendation. This note does not override any aspect of that Recommendation.
This document is an editors' copy that has no official standing.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
The current version of this document was developed by the XML Security Specification Maintenance Working Group, as part of the Security Activity, revising an earlier version developed by the XML Core Working Group as part of the XML Activity. A companion Note, "Known Issues with Canonical XML 1.0 (C14N/1.0)" [C14NNOTE], discusses in detail some of the issues related to the inheritance of certain XML attributes and the Canonical XML Recommendation 1.0 [C14N10].
Publication as a Working Group Note does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
2. Use of Canonical XML 1.1 with XML Signatures
2.1 Use Canonical XML 1.1 Instead Of Canonical XML 1.0
2.2 Explicitly Canonicalize All Node-Sets
3. Algorithm Identifiers
This technical note describes how to use the XML Digital Signature Recommendation [XMLDSIG] in a way consistent with the present (fall 2006) XML environment. In particular, this note takes into account the recent xml:id Version 1.0 [XMLID] Recommendation, and work in progress towards a Canonical XML 1.1 [C14N11] Recommendation.
This note suggests constraints on the use of XML Digital Signature, and relies on extension points present in the XML Digital Signature Recommendation. This note does not override any aspect of that Recommendation.
Canonical XML 1.1 [C14N11] revisits
assumptions made in the original Canonical XML specification [C14N10], and that have subsequently been
invalidated by further developments in the XML area. In
particular, the transformations specified in [C14N11] can be safely applied in the presence
of attributes such as
xml:id [XMLID] and
Implementations MUST NOT apply the Canonical XML 1.0
transformations to nodesets that contain
xml:base elements. Implementations SHOULD apply
Canonical XML 1.1 to such nodesets.
Where canonicalization algorithms are identified by URI, the Canonical XML 1.1 algorithms SHOULD be identified using the algorithm URIs defined in section 3 of this note.
When constructing the chain of transforms that is applied to a given data object, implementations MUST NOT rely on this default algorithm to convert node-sets to octet streams. Instead, implementations SHOULD:
Transformthat expects an octet-stream, but is applied to a node-set;
http://www.w3.org/2006/12/xml-c14n11as the final
Transform, if the last transformation generates a node-set.
Implementations MAY apply other transformation algorithms that convert node-sets to octet streams.
This section identifies additional algorithms used with the XML digital signature specification.
Algorithms are identified by URIs that appear as an attribute to
the element that identifies the algorithms' role
The specification of Canonical XML 1.1 is [C14N11]. The algorithm is capable of taking as input either an octet stream or an XPath node-set (or sufficiently functional alternative). The algorithm produces an octet stream as output. Canonical XML 1.1 is easily parameterized (via an additional URI) to omit or retain comments.