This document specifies how the XML Signature 2.0 transform model
may be used with XML Encryption 1.1 for
This document summarizes the changes necessary to allow XML Encryption to use the transform model introduced in XML Signature 2.0. At some point the contents of this document may be incorporated into an XML Encryption 2.0 document, but are currently separate to highlight the limited set of changes, enabling easier review.
The XML Signature 2.0 [[!XMLDSIG-CORE2]] Transform processing model offers
simplification to the
XML Encryption 1.1 [[!XMLENC-CORE1]]
The current model in XML Encryption 1.1 is that
URI attribute for obtaining content and may
also optionally apply further
transforms through the use of one or more
contained in a
Transforms child of
CipherReference. The example in XML Encryption 1.1
shows use of an XPath
transform to select
a specific element within an XML document and then a base64 transform to
decode the base64 to octets (two 1.1 transforms are applied).
This document is only applicable when transforms are applied in XML Encryption 1.1 to obtain cipher content, however this may be frequent when base64 decoding is required.
The 2.0 Transform model has a single fixed transform that supports a
selection element, enabling the
processing model to be simplified (the 2.0 model also has other
features that are
not discussed in this document). The overall set of simplifications
Use the 2.0 Transform
dsig2:Selection element with
URL attribute value that specifies the source of
the cipher value, using XML fragments as
appropriate. In the XML Encryption 1.1 example this removes the
need for an XPath transform.
Process the content retrieved from the URL source appropriately, as
defined according to the
Algorithm attribute. The type defined for base64 content
encoded in XML is appropriate to the example in XML Encryption 1.1.
This approach entirely eliminates the use of transforms, apart from
the backwardly-compatible mechanism of using the
Transform element to
enable use of the 2.0 selection mechanism.
This example corresponds to the example shown in section 3.3.1 of XML Encryption 1.1.
<CipherReference URI=""> <Transforms> <ds:Transform Algorithm="http://www.w3.org/2010/xmldsig2#transform"> <dsig2:Selection URI="http://www.example.com/CipherValues.xml#example1" Algorithm="http://www.w3.org/2010/xmldsig2#binaryfromBase64" xmlns:dsig2="http://www.w3.org/2010/xmldsig2#"> </dsig2:Selection> </ds:Transform> </Transforms> </CipherReference>
Use of 2.0 transform processing can be recognized by examination of
Algorithm attribute value on
Transform element and seeing
that it is the 2.0 value defined in XML Signature 2.0:
This document is only applicable if it has a compatible value (this value or later).
CipherReferenceProcessing with 2.0 Transform Model
CipherReference processing with the 2.0 transform model
is only performed if the
CipherReference element has
Transforms child element with a
child having an
Algorithm attribute value consistent with 2.0
processing. The only current such value is
If this is the case, it is an error if there is more than
Transforms child element of
CipherReference element or if there is more than
Transform child element of
dsig2:Selection element MUST be present as a child of
attribute of the
dsig2:Selection element MUST specify the
the cipher data (and for content from within XML should specify the
fragment if necessary, see 10.6.1 Selection of XML Documents or
Fragments of XML Signature 2.0 for details)
If the cipher data is base64 encoded content within an XML source, the
MUST be specified as the
If the cipher data is binary (and not base64 encoded) content from the
URI source, the
algorithm identifier MUST be specified as the
Algorithm attribute value.
Algorithm attribute value should be used.
This document specifies no change to the schema definition of
CipherReference element defined in XML
Encryption 1.1, but the
URI attribute of this element is
ignored when the 2.0 transform processing model is used as described
in this document.