Written by Reagle, based on "A plug/play URI/IDREF proposal" by Karlinger.
...
The Reference element has the structure indicated below.
...
<SignedInfo>
(CanonicalizationMethod)?
(SignatureMethod)
(<Reference (URI=)? Type=?>
(Transforms)?
(DigestMethod)
(DigestValue)
</Reference>)+
</SignedInfo>
...
The optional URI attribute of Reference identifies the data object to be signed. This attribute may be omitted on at most one Reference in a Signature. (This limitation is imposed in order to ensure that references and objects may be matched unambiguously.)
This identification, along with the transforms, is a description provided by the signer
on how they obtained the signed data object in the form it was digested (i.e. the digested
content). The verifier may obtain the digested content in another method so long as the
digest verifies. In particular, the verifier may obtain the content from a different
location such as a local store) than that specified in the URI.
The optional Type attribute provides information about the resource identified
by the URI. In particular, it can indicate that it is an Object, SignatureProperties,
or Manifest element. This can be used by applications to initiate special
processing of some Reference elements. References to an XML data element within
an Object element SHOULD identify the actual element pointed to. Where the
element content is not XML (perhaps it is binary or encoded data) the reference should
identify the Object and the Reference Type, if given,
SHOULD indicate Object. Note, that Type is advisory and no action based
on it or checking of its correctness is required by core behaviour.
Transforms is an optional ordered list of processing steps that were applied to the resource's content before it is digested. Transforms can include operations such as canonicalization, encoding/decoding (including compression/inflation), XSLT and XPath. XPath transforms permit the signer to derive an XML document that omits portions of the source document. Consequently those excluded portions can change without affecting signature validity (this is how the Working Group satisfied the requirement of signing portions of a document.) For example, if the resource being signed encloses the signature itself, such a transform must be used to exclude the signature value from its own computation. If no Transforms element is present, the resource's content is digested directly.
Arbitrary user specified transforms are permitted. To promote interoperability, we specify mandatory to implement canonicalization and decoding transformation algorithms. Additional canonicalization, coding, XSLT, and XPath based transform algorithms are specified as recommended or optional.
DigestMethod is the algorithm applied to the data, after Transforms is applied if specified, to yield the DigestValue. The signing of the DigestValue is what bind's a resources content to the signer's key.
...
Reference is an element that may occur one or more times. It specifies a digest
algorithm and digest value, and optionally the object being signed, the type of the
object, and/or a list of transforms to be applied prior to digesting. The identification,
and transforms are information provided to inform the verifier how the digested content
(i.e., the input to the digest method) may be created. The type attribute
facilitates the processing of referenced data. For example, while this specification makes
no requirements over external data, an application may wish to signal that the referent is
a Manifest. An optional ID attribute permits a Reference to be
referenced from elsewhere.
Schema Definition:
<element name='Reference'>
<type content='elementOnly'>
<group order='seq' minOccurs='1' maxOccurs='1'>
<element ref='ds:Transforms' minOccurs='0' maxOccurs='1'/>
<element ref='ds:DigestMethod' minOccurs='1' maxOccurs='1'/>
<element ref='ds:DigestValue' minOccurs='1' maxOccurs='1'/>
</group>
<attribute name='Id' type='ID' minOccurs='0' maxOccurs='1'/>
<attribute name='URI' type='uri' minOccurs='0' maxOccurs='1'/>
<attribute name='Type' type='uri' minOccurs='0' maxOccurs='1'/>
</type>
</element>
DTD:
<!ELEMENT Reference (Transforms?, DigestMethod, DigestValue) >
<!ATTLIST Reference
Id ID #IMPLIED
URI CDATA #IMPLIED
Type CDATA #IMPLIED>
The URI attribute identifies a data object using a URI-Reference [URI], as specified by RFC2396 [URI]. Note that a null URI (URI="") is permitted and identifies the XML document that the reference is contained within (i.e., the root element). XML Signature applications MUST be able to dereference (obtain the octets associated with) the resource identified by a URI (e.g, DOM, an API, network method).
[URI] permits the specification of a fragment identifier via a separating pound symbol '#'. (The meaning of the fragment is defined by the resource's MIME type). XML Signature applications MUST support the the XPointer 'bare name' [Xptr] shortcut after '#' so as to identify IDs within XML documents. The results are serialized as specified in section 6.6.3: XPath Filtering. For example,
Otherwise, support of other fragment/MIME types (e.g., PDF) or XML addressing mechanisms (e.g., [XPath, Xptr]) is OPTIONAL, though we RECOMMEND support of XPath. Regarldess, such fragment identification and addressing SHOULD be given under Transforms (not as part of the URI) so that they can be fully identified and specified. For instance, one could reference a fragment of a document that is encoded by using the Reference URI to identify the resource, and one Transform to specify decoding, and a second to specify an XPath selection.
If the URI attribute is omitted all-together, the receiving application is expected to know the identity of the object. For example, a lightweight data protocol might omit this attribute given the identity of the object is part of the application context. This attribute may be omitted from at most one Reference in any particular SignedInfo, or Manifest.
The digest algorithm is applied to the data octets being secured. Typically that is done by locating (possibly using the URI if provided) the data and transforming it. If the data is an XML document, the document is assumed to be unparsed prior to the application of Transforms. If there are no Transforms, then the data is passed to the digest algorithm unmodified.
The optional Type attribute contains information about the type of object being signed. This is represented as a URI. For example:
Type="http://www.w3.org/2000/01/xmldsig#Object"
Type="http://www.w3.org/2000/01/xmldsig#Manifest"
Type="http://www.w3.org/2000/01/xmldsig#SignatureProperty"
The Type attribute applies to the item being pointed at, not its contents. For example,
a reference that identifies an Object element containing a SignatureProperties
element is still of type #Object. The type attribute is advisory. No
validation of the type information is required by this specification.