This document provides a summary of non-editorial changes in XML Signature 1.1 from the XML Signature Second Edition Recommendation.
In the case of any difference between this document and the XML Signature 1.1 specification [[XMLDSIG-CORE1]], the XML Signature 1.1 specification is authoritative.
This document summarizes non-editorial changes in XML Signature 1.1 from the XML Signature Second Edition Recommendation.
ECDSA-SHA1
(OPTIONAL),
ECDSA-SHA256
(REQUIRED),
ECDSA-SHA384
(OPTIONAL), and ECDSA-SHA512
(OPTIONAL)SHA224
(OPTIONAL), SHA256
(REQUIRED), SHA384
(OPTIONAL),
SHA512
(OPTIONAL)RSAwithSHA256
(REQUIRED),
RSAwithSHA384
(OPTIONAL),RSAwithSHA512
(OPTIONAL)For all algorithms added, algorithm identifiers and information were added to the specification.
SHA-1
but allow it for compatibility
SHA-1
use is DISCOURAGED (but support is still REQUIRED).SHA-1
to state that use is DISCOURAGED (but still REQUIRED).HMAC-SHA1
to state that use is DISCOURAGEDDSAwithSHA1
is only REQUIRED as
Signature algorithm
for Signature verification, but is OPTIONAL for Signature
generation. Previously it was REQUIRED for both. RSA-SHA1
and ECDSA-SHA1
is
DISCOURAGED.SHA-1
HMAC-SHA256
to REQUIREDHMAC-SHA384
, HMAC-SHA512
to
RECOMMENDED (from
OPTIONAL).HMACOutputLength
parameter in
SignatureMethod
KeyInfo
ChangesECKeyValue
, ECParameters
DEREncodedKeyValue
KeyInfo
child elements
EncryptedKey
and DerivedKey
ElementsDEREncodedKeyValue
- new representation for
public keysKeyInfoReference
- alternative to RetrievalMethod
access to a
KeyInfo
element that does not require use of a Transform
RetrievalMethod
that
a Transform
is needed to obtain
content of KeyInfo
referenced by ID
KeyInfoReference
element instead of
RetrievalMethod
X509Data
Changesdsig11:X509Digest
to list of elements that may
be included, to support reference via base64-encoded digest of a
certificateX509IssuerSerial
and
possible issue with schema validation when large serial numbers are
used. X509Data
in explicitly trusted scenarios.Reference
validation since changes
could occur in serialization after Signature
generation.
SHA-256
in preference to
SHA-1