W3C

XML Security Algorithm Cross-Reference

W3C Working Group Note 11 April 2013

This version:
http://www.w3.org/TR/2013/NOTE-xmlsec-algorithms-20130411/
Latest published version:
http://www.w3.org/TR/xmlsec-algorithms/
Latest editor's draft:
http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/
Previous version:
http://www.w3.org/TR/2013/NOTE-xmlsec-algorithms-20130124/
Editors:
Frederick Hirsch, Nokia
Thomas Roessler, W3C
Kelvin Yiu, Microsoft

Abstract

This Note summarizes XML Security algorithm URI identifiers and the specifications associated with them.

Status of This Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.

Note: On 23 April 2013, the reference to the "Additional XML Security URIs" RFC was updated. The Director previously authorized the publication knowing that the reference would be updated in a near future.

Changes since the previous publication include updates to the references, including replacing RFC 4051 with RFC 6931 which updates it (diff).

This document was published by the XML Security Working Group as a Working Group Note. If you wish to make comments regarding this document, please send them to public-xmlsec@w3.org (subscribe, archives). All comments are welcome.

Publication as a Working Group Note does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

Table of Contents

1. Introduction

The various XML Security specifications have defined a number of algorithms of various types, while allowing and expecting additional algorithms to be defined later. Over time, these identifiers have been defined in a number of different specifications, including XML Signature, XML Encryption, RFCs and elsewhere.

This makes it difficult for users of the XML Security specifications to know whether and where a URI for an algorithm of interest has been defined, and can lead to the use of incorrect URIs. The purpose of this Note is to collect the various known URIs at the time of its publication and indicate the specifications in which they are defined in order to avoid confusion and errors.

This note is not intended as an exhaustive list of all known related identifiers, some of which may have been defined by other standards or specifications. Furthermore, this note is not to be taken as normative regarding the information provided; if information here conflicts with the referenced specification, the specification takes precedence in all cases.

The architecture of the XML Security specifications distinguishes between the (universally useful) identifiers for algorithms and the roles that these algorithms can take. Roles are identified through elements like ds:SignatureMethod, ds:DigestMethod, ds:CanonicalizationMethod, or ds:Transform, whereas the algorithms are identified through URIs. Explicit parameters for the respective algorithms are transmitted in child elements of the role element.

This note indicates explicitly whether an algorithm is mandatory or recommended in other specifications. If nothing is said, then readers should assume that support for the algorithms given is OPTIONAL.

This document applies to [XMLDSIG-CORE1] and [XMLENC-CORE1] unless otherwise noted.

2. Namespaces

This specification uses the following XML namespace prefixes:

ds
http://www.w3.org/2000/09/xmldsig#
xenc
http://www.w3.org/2001/04/xmlenc#
dsig11
http://www.w3.org/2009/xmldsig11#
dsigmore
http://www.w3.org/2001/04/xmldsig-more#

Algorithm URIs have been coined in a variety of namespaces, and are always given in full.

3. Signature Algorithms

The algorithms listed in this section are typically used in the signature algorithm role, identified through the ds:SignatureMethod role element ( [XMLDSIG-CORE] , section 4.3.2). Each signature method takes an octet-stream as input, and produces a signature value (an octet-stream that is always base64 encoded, see section 4.2 of [XMLDSIG-CORE] ).

3.1 DSA

A container for key material, ds:DSAKeyValue, is defined in section 4.4.2.1 of [XMLDSIG-CORE] . When used with ds:RetrievalMethod, this container type is identified through the URI http://www.w3.org/2000/09/xmldsig#DSAKeyValue.

DSA-SHA1
URI:
http://www.w3.org/2000/09/xmldsig#dsa-sha1
Specified in:
section 6.4.1 of [XMLDSIG-CORE]

Implementation of this algorithm is required in [XMLDSIG-CORE2002] and [XMLDSIG-CORE]. It is mandatory to implement in [XMLDSIG-CORE1] for signature verification. [XMLDSIG-CORE1] allows verification support for 1024 bit key legacy signatures, but requires that 1024 bit keys must not be used for new signatures.

DSA-SHA256
URI:
http://www.w3.org/2009/xmldsig11#dsa-sha256
Specified in:
section 6.4.1 of [XMLDSIG-CORE1]

Implementation of this algorithm is optional. Permissible lengths of the prime modulus are 2048 and 3072.

3.2 RSA

This section lists variants of the RSA algorithm. A container for key material, ds:RSAKeyValue, is defined in section 4.4.2.2 of [XMLDSIG-CORE2002] . When used with ds:RetrievalMethod, this container type is identified through the URI http://www.w3.org/2000/09/xmldsig#RSAKeyValue.

RSA-MD5
URI:
http://www.w3.org/2001/04/xmldsig-more#rsa-md5
Specified in:
section 2.3.1 of [RFC6931]

We only list the algorithm URI for RSA-MD5 for the sake of completeness. The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its use is discouraged at this time. It is not listed as an algorithm in [XMLDSIG-CORE1].

RSA-SHA1
URI:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
Specified in:
section 6.4.2 of [XMLDSIG-CORE2002]

Implementation of this algorithm is recommended in [XMLDSIG-CORE2002] and [XMLDSIG-CORE] . Use of this algorithm for signature generation is discouraged [XMLDSIG-CORE1].

RSA-SHA224
URI:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha224
Specified in:
section 6.4.2 of [XMLDSIG-CORE1].
RSA-SHA256
URI:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Specified in:
section 2.3.2 of [RFC6931]

This algorithm is a mandatory to implement algorithm for [XMLDSIG-CORE1].

RSA-SHA384
URI:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
Specified in:
section 2.3.3 of [RFC6931]
RSA-SHA512
URI:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
Specified in:
section 2.3.4 of [RFC6931]
RSA-RIPEMD160
URI:
http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160
Specified in:
section 2.3.5 of [RFC6931]

This algorithm is listed for the sake of completeness but does not have an [XMLDSIG-CORE1] implementation requirement.

3.3 Elliptic Curve DSA

This section lists various variants of the Elliptic Curve DSA (ECDSA) algorithm. A container for key material, the ECKeyValue element, is defined in [XMLDSIG-CORE1] in section 4.5.2.3.

ECDSA-SHA1
URI:
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1
Specified in:
section 2.3.6 of [RFC6931]

Given recent cryptographic results about the SHA1 hash algorithm, users of this algorithm should apply similar caution to other SHA1 based algorithms, and treat it as an algorithm whose use is discouraged.

ECDSA-SHA224
URI:
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224
Specified in:
section 2.3.6 of [RFC6931]
ECDSA-SHA256
URI:
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
Specified in:
section 2.3.6 of [RFC6931]

This algorithm is a mandatory to implement algorithm for [XMLDSIG-CORE1].

ECDSA-SHA384
URI:
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384
Specified in:
section 2.3.6 of [RFC6931]
ECDSA-SHA512
URI:
http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
Specified in:
section 2.3.6 of [RFC6931]

3.4 HMAC

The following URIs have been defined for various Message Authentication Codes that use the HMAC construction [HMAC] . All of these algorithms take an explicit truncation length parameter. A container for this parameter, ds:HMACOutputLength, is defined in section 6.3.1 of [XMLDSIG-CORE] . This container occurs as a child element of the role element.

HMAC-SHA1
URI:
http://www.w3.org/2000/09/xmldsig#hmac-sha1
Specified in:
section 6.3 of [XMLDSIG-CORE2002]

This algorithm is used as the default MAC algorithm in [XKMS2] . It is mandatory to implement in XML Signature [XMLDSIG-CORE2002], [XMLDSIG-CORE], [XMLDSIG-CORE1]. Use of this algorithm for signature generation is discouraged [XMLDSIG-CORE1] due to the weaknesses of SHA-1.

HMAC-SHA224
URI:
http://www.w3.org/2001/04/xmldsig-more#hmac-sha224
Specified in:
section 2.2.2 of [RFC6931]
HMAC-SHA256
URI:
http://www.w3.org/2001/04/xmldsig-more#hmac-sha256
Specified in:
section 2.2.2 of [RFC6931]

This algorithm is a mandatory to implement algorithm for [XMLDSIG-CORE1].

HMAC-SHA384
URI:
http://www.w3.org/2001/04/xmldsig-more#hmac-sha384
Specified in:
section 2.2.2 of [RFC6931]

Implementation of this algorithm is recommended in [XMLDSIG-CORE1].

HMAC-SHA512
URI:
http://www.w3.org/2001/04/xmldsig-more#hmac-sha512
Specified in:
section 2.2.2 of [RFC6931]

Implementation of this algorithm is recommended in [XMLDSIG-CORE1].

HMAC-RIPEMD160
URI:
http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160
Specified in:
Section 2.2.3 of [RFC6931]

This algorithm is listed for the sake of completeness but does not have an [XMLDSIG-CORE1] implementation requirement.

4. Digest Methods

The following URIs have been defined for Digest Methods. They are typically used in the ds:DigestMethod role in [XMLDSIG-CORE2002] . Note that ds:DigestMethod also occurs as in the context of xenc:AgreementMethod, as specified in the Key Agreement part of [XMLENC-CORE] .

4.1 MD5

MD5
URI:
http://www.w3.org/2001/04/xmldsig-more#md5
Specified in:
section 2.1.1 of [RFC6931]

We only list the algorithm URI for MD5 for the sake of completeness. The cryptographic strength of this algorithm is sufficiently doubtful that its use is not recommended at this time.

4.2 SHA variants

Note that URIs for the various algorithms of the Secure Hash Algorithm family have been coined in a number of name spaces and specifications, specifically [XMLDSIG-CORE2002] (and, in this regard identically, [XMLDSIG-CORE] ), [XMLENC-CORE] , and [RFC6931] .

SHA-1
URI:
http://www.w3.org/2000/09/xmldsig#sha1
Specified in:
section 6.2.1 of [XMLDSIG-CORE]

SHA-1 is the only digest algorithm defined in [XMLDSIG-CORE] and is mandatory to implement in that specification and in [XMLENC-CORE]. Use of SHA-1 is discouraged in [XMLDSIG-CORE1] and [XMLENC-CORE1] both of which mandate SHA-256 as mandatory to implement and offer a number of other optional SHA algorithms.

SHA-224
URI:
http://www.w3.org/2001/04/xmldsig-more#sha224
Specified in:
section 2.1.2 of [RFC6931]
SHA-256
URI:
http://www.w3.org/2001/04/xmlenc#sha256
Specified in:
section 5.7.2 of [XMLENC-CORE]

This algorithm is a mandatory to implement algorithm for [XMLDSIG-CORE1].

SHA-384
URI:
http://www.w3.org/2001/04/xmldsig-more#sha384
Specified in:
section 2.1.3 of [RFC6931]
SHA-512
URI:
http://www.w3.org/2001/04/xmlenc#sha512
Specified in:
section 5.7.3 of [XMLENC-CORE]

4.3 RIPEMD-160

RIPEMD-160
URI:
http://www.w3.org/2001/04/xmlenc#ripemd160
Specified in:
section 5.7.4 of [XMLENC-CORE]

5. Symmetric Key Encryption Algorithms

The following URIs have been defined for symmetric key encryption algorithms. They typically appear in the xenc:EncryptionMethod role.

5.1 Triple DES

Triple DES (CBC mode)
URI:
http://www.w3.org/2001/04/xmlenc#tripledes-cbc
Specified in:
section 5.2.1 of [XMLENC-CORE]

This algorithm is mandatory to implement in [XMLENC-CORE] .

5.2 AES

AES-128 (CBC mode)
URI:
http://www.w3.org/2001/04/xmlenc#aes128-cbc
Specified in:
section 5.2.2 of [XMLENC-CORE]

This algorithm is mandatory to implement in [XMLENC-CORE] .

AES-192 (CBC mode)
URI:
http://www.w3.org/2001/04/xmlenc#aes192-cbc
Specified in:
section 5.2.2 of [XMLENC-CORE]
AES-256 (CBC mode)
URI:
http://www.w3.org/2001/04/xmlenc#aes256-cbc
Specified in:
section 5.2.2 of [XMLENC-CORE]

This algorithm is mandatory to implement in [XMLENC-CORE] .

AES128-GCM
URI:
http://www.w3.org/2009/xmlenc11#aes128-gcm
Specified in:
section 5.2.4 of [XMLENC-CORE1]

This algorithm is mandatory to implement in [XMLENC-CORE1].

AES192-GCM
URI:
http://www.w3.org/2009/xmlenc11#aes192-gcm
Specified in:
section 5.2.4 of [XMLENC-CORE1]
AES256-GCM
URI:
http://www.w3.org/2009/xmlenc11#aes256-gcm
Specified in:
section 5.2.4 of [XMLENC-CORE1]

5.3 Camellia

These algorithms are not in the [XMLDSIG-CORE1] or [XMLENC-CORE1] implementation requirements but are listed for completeness.

Camellia 128 (CBC mode)
URI:
http://www.w3.org/2001/04/xmldsig-more#camellia128-cbc
Specified in:
section 2.6.2 of [RFC6931]
Camellia 192 (CBC mode)
URI:
http://www.w3.org/2001/04/xmldsig-more#camellia192-cbc
Specified in:
section 2.6.2 of [RFC6931]
Camellia 256 (CBC mode)
URI:
http://www.w3.org/2001/04/xmldsig-more#camellia256-cbc
Specified in:
section 2.6.2 of [RFC6931]

6. Key Transport Algorithms

The following URIs have been defined for key transport algorithms.

6.1 RSA v1.5

RSA-v1.5
URI:
http://www.w3.org/2001/04/xmlenc#rsa-1_5
Specified in:
section 5.4.1 of [XMLENC-CORE]

This algorithm is optional to implement in [XMLENC-CORE]. Implementation of RSA v1.5 is NOT RECOMMENDED due to security risks associated with the algorithm.

6.2 RSA OAEP

RSA-OAEP (including MGF1 with SHA1 mask generation function)
URI:
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
Specified in:
section 5.4.2 of [XMLENC-CORE]. This version has a fixed mask generation function of MGF1 with SHA1.

This algorithm is mandatory to implement in [XMLENC-CORE].

RSA-OAEP
URI:
http://www.w3.org/2009/xmlenc11#rsa-oaep
Specified in:
section 5.4.2 of [XMLENC-CORE]. This version allows the mask generation function to be specified explicitly.
RSA-OAEP MGF1 with SHA* definitions
URI:
MGF1 with SHA1: http://www.w3.org/2009/xmlenc11#mgf1sha1
MGF1 with SHA224: http://www.w3.org/2009/xmlenc11#mgf1sha224
MGF1 with SHA256: http://www.w3.org/2009/xmlenc11#mgf1sha256
MGF1 with SHA384: http://www.w3.org/2009/xmlenc11#mgf1sha384
MGF1 with SHA512: http://www.w3.org/2009/xmlenc11#mgf1sha512
Specified in:
section 5.4.2 of [XMLENC-CORE]. These URIs are for defining the specific mask generation function.

7. Key Derivation Algorithm URIs

The following URIs have been defined for key derivation algorithms.

7.1 ConcatKDF

ConcatKDF
URI:
http://www.w3.org/2009/xmlenc11#ConcatKDF
Specified in:
section 5.4.1 of [XMLENC-CORE1]

This algorithm is mandatory to implement in [XMLENC-CORE].

7.2 PBKDF2

PBKDF2
URI:
http://www.w3.org/2009/xmlenc11#pbkdf2
Specified in:
section 5.4.2 of [XMLENC-CORE1]

8. Key Agreement Algorithm URIs

The following URIs have been defined for key agreement algorithms.

Diffie Hellman with Legacy Key Derivation Function (Ephemeral-Static mode)
URI:
http://www.w3.org/2001/04/xmlenc#dh
Specified in:
section 5.5.2 of [XMLENC-CORE]

While this is the only key agreement algorithm defined in [XMLENC-CORE], it is optional to implement.

A container for key material for this key agreement algorithm, xenc:DHKeyValue, is defined in section 5.5.1 of [XMLENC-CORE] . When used with ds:RetrievalMethod, this container type is identified through the URI http://www.w3.org/2001/04/xmlenc#dh.

Diffie-Hellman with explicit Key Derivation Functions (Ephemeral-Static Mode)
URI:
http://www.w3.org/2009/xmlenc11#dh-es
Specified in:
section 5.6.2.1 of [XMLENC-CORE1]
Elliptic Key Diffie-Hellman Key Agreement (Ephemeral-Static Mode)
URI:
http://www.w3.org/2009/xmlenc11#ECDH-ES
Specified in:
section 5.6.4 of [XMLENC-CORE1]

This algorithm is a mandatory to implement algorithm for [XMLENC-CORE1].

9. Symmetric Key Wrap Algorithm URIs

The following URIs have been defined for symmetric key wrap algorithms.

9.1 CMS Triple-DES Key Wrap

CMS Triple-DES Key Wrap
URI:
http://www.w3.org/2001/04/xmlenc#kw-tripledes
Specified in:
section 5.6.2 of [XMLENC-CORE]

This algorithm is mandatory to implement in [XMLENC-CORE] .

9.2 AES Key Wrap

AES Key Wrap 128
URI:
http://www.w3.org/2001/04/xmlenc#kw-aes128
Specified in:
section 5.6.3 of [XMLENC-CORE]

This algorithm is mandatory to implement in [XMLENC-CORE] .

AES Key Wrap 128 with padding
URI:
http://www.w3.org/2009/xmlenc11#kw-aes-128-pad
Specified in:
the informative Appendix A.1 of [XMLENC-CORE1] (This informative section outlines the definition and reserves identifiers for algorithms that have no requirements for implementation and have not been tested for interoperability.)
AES Key Wrap 192
URI:
http://www.w3.org/2001/04/xmlenc#kw-aes192
Specified in:
section 5.6.3 of [XMLENC-CORE]
AES Key Wrap 192 with padding
URI:
http://www.w3.org/2009/xmlenc11#kw-aes-192-pad
Specified in:
the informative Appendix A.1 of [XMLENC-CORE1] (This informative section outlines the definition and reserves identifiers for algorithms that have no requirements for implementation and have not been tested for interoperability.)
AES Key Wrap 256
URI:
http://www.w3.org/2001/04/xmlenc#kw-aes256
Specified in:
section 5.6.3 of [XMLENC-CORE]

This algorithm is mandatory to implement in [XMLENC-CORE] .

AES Key Wrap 256 with padding
URI:
http://www.w3.org/2009/xmlenc11#kw-aes-256-pad
Specified in:
the informative Appendix A.1 of [XMLENC-CORE1] (This informative section outlines the definition and reserves identifiers for algorithms that have no requirements for implementation and have not been tested for interoperability.)

9.3 Camellia Key Wrap

These algorithms are not in the [XMLDSIG-CORE1] or [XMLENC-CORE1] implementation requirements but are listed for completeness.

Camellia Key Wrap 128
URI:
http://www.w3.org/2001/04/xmldsig-more#kw-camellia128
Specified in:
section 2.6.3 of [RFC6931]
Camellia Key Wrap 192
URI:
http://www.w3.org/2001/04/xmldsig-more#kw-camellia192
Specified in:
section 2.6.3 of [RFC6931]
Camellia Key Wrap 256
URI:
http://www.w3.org/2001/04/xmldsig-more#kw-camellia256
Specified in:
section 2.6.3 of [RFC6931]

10. Generic Hybrid Cipher Algorithm URIs

The following URIs have been defined for generic hybrid cipher algorithms.

Generic-Hybrid
URI:
http://www.w3.org/2010/xmlsec-ghc#generic-hybrid
Specified in:
section 4.2.1 of [XMLSEC-GHCIPHERS]
RSAES-KEM
URI:
http://www.w3.org/2010/xmlsec-ghc#rsaes-kem
Specified in:
section 4.3.1 of [XMLSEC-GHCIPHERS]
ECIES-KEM
URI:
http://www.w3.org/2010/xmlsec-ghc#ecies-kem
Specified in:
section 4.3.2 of [XMLSEC-GHCIPHERS]

11. Canonicalization Algorithms

Canonicalization algorithms are used in [XMLDSIG-CORE2002] ; they are typically used in the ds:CanonicalizationMethod and ds:Transform roles.

11.1 Inclusive Canonicalization

Canonical XML 1.0 [XML-C14N] without comments is mandatory to implement in both XML Signature [XMLDSIG-CORE2002] and XML Signature Second Edition [XMLDSIG-CORE] . XML Signature Second Edition recommends use of Canonical XML 1.1 [XML-C14N11] over use of Canonical XML 1.0 when inclusive canonicalization is desired, to address known issues with Canonical XML 1.0.

The canonicalization methods listed in this section accept a node-set or octet-stream as input, and produce an octet-stream as output.

Canonical XML 1.0 (omit comments)
URI:
http://www.w3.org/TR/2001/REC-xml-c14n-20010315
Specified in:
section 6.5.1 of [XMLDSIG-CORE]

This algorithm is mandatory to implement in [XMLDSIG-CORE2002] and [XMLDSIG-CORE] .

Canonical XML 1.0 (with comments)
URI:
http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
Specified in:
section 6.5.1 of [XMLDSIG-CORE]

Implementation of this algorithm is recommended in [XMLDSIG-CORE1].

Canonical XML 1.1 (omit comments)
URI:
http://www.w3.org/2006/12/xml-c14n11
Specified in:
section 6.5.2 of [XMLDSIG-CORE]

This algorithm is mandatory to implement in [XMLDSIG-CORE] . Its use is recommended over Canonical XML 1.0.

Canonical XML 1.1 (with comments)
URI:
http://www.w3.org/2006/12/xml-c14n11#WithComments
Specified in:
section 6.5.2 of [XMLDSIG-CORE]

Implementation of this algorithm is recommended in [XMLDSIG-CORE1].

11.2 Exclusive Canonicalization

Exclusive Canonicalization XML 1.0 (omit comments)
URI:
http://www.w3.org/2001/10/xml-exc-c14n#
Specified in:
section 4 of [XML-EXC-C14N]

Implementation of this algorithm is required in [XMLDSIG-CORE1].

Exclusive Canonicalization XML 1.0 (with comments)
URI:
http://www.w3.org/2001/10/xml-exc-c14n#WithComments
Specified in:
section 4 of [XML-EXC-C14N]

11.3 Canonicalization 2.0

Canonical XML 2.0
URI:
http://www.w3.org/2010/10/xml-c14n2
Specified in:
section 3.1 of [XML-C14N20]

12. Encoding Algorithms

Base64 encoding
URI:
http://www.w3.org/2000/09/xmldsig#base64
Specified in:
section 6.6.2 of [XMLDSIG-CORE]
Input:
octet-stream, node-set
Output:
octet-stream

Implementation is required in [XMLDSIG-CORE] and [XMLENC-CORE]. Note that the same URI is used to identify base64 both in "encoding" context as well as in "transform" context.

13. Transform Algorithms

This section lists algorithms that typically occur in the ds:Transform role. ds:Transform is defined in detail in the XML Signature Reference Processing Model ( [XMLDSIG-CORE] , section 4.3.3.2). This processing model is, in turn, applied both to signed material, and to key material referenced through ds:RetrievalMethod ( [XMLDSIG-CORE] , section 4.4.3).

The ds:Transform role element is also used by the optional xenc:Transforms feature which is specified in the context of xenc:CipherReference in XML Encryption ( [XMLENC-CORE], section 3.3.1).

Transform algorithms can take an octet-stream or a node-set as input, and can produce either an octet-stream or a node-set as output.

Base64 decoding transform
URI:
http://www.w3.org/2000/09/xmldsig#base64
Specified in:
section 6.6.2 of [XMLDSIG-CORE]
Input:
octet-stream, node-set
Output:
octet-stream

Implementation is required in [XMLDSIG-CORE] and [XMLENC-CORE]. Note that the same URI is used to identify base64 both in "encoding" context as well as in "transform" context.

XPath Filtering
URI:
http://www.w3.org/TR/1999/REC-xpath-19991116
Specified in:
section 6.6.3 of [XMLDSIG-CORE]
Input:
octet-stream, node-set
Output:
node-set

Implementation of this algorithm is recommended in [XMLDSIG-CORE1].

XML-Signature XPath Filter 2.0
URI:
http://www.w3.org/2002/06/xmldsig-filter2
Specified in:
[XMLDSIG-XPATH-FILTER2]
Input:
octet-stream, node-set
Output:
node-set

Implementation of this algorithm is recommended in [XMLDSIG-CORE1].

Enveloped Signature Transform
URI:
http://www.w3.org/2000/09/xmldsig#enveloped-signature
Specified in:
section 6.6.4 of [XMLDSIG-CORE]
Input:
node-set (same-document)
Output:
node-set

This transform is required in [XMLDSIG-CORE2002] , [XMLDSIG-CORE] .

XSLT Transform
URI:
http://www.w3.org/TR/1999/REC-xslt-19991116
Specified in:
section 6.6.5 of [XMLDSIG-CORE]
Input:
octet-stream
Output:
octet-stream
Decryption Transform (XML mode)
URI:
http://www.w3.org/2002/07/decrypt#XML
Specified in:
[XMLENC-DECRYPT]
Input:
node-set
Output:
node-set
Decryption Transform (binary mode)
URI:
http://www.w3.org/2002/07/decrypt#Binary
Specified in:
[XMLENC-DECRYPT]
Input:
node-set
Output:
octet-stream

14. Retrieval method type identifiers

The ds:RetrievalMethod element permits referencing key material that is stored outside a ds:KeyInfo element. The type of the material that results from retrieval of the URI reference (and possible transform processing) can be identified using the Type attribute.

Note: The KeyInfoReference element introduced in [XMLDSIG-CORE1] is preferred over use of RetrievalMethod as it avoids use of Transform child elements that introduce security risk and implementation challenges.

The following Type values identify an XML element or document with the given element as its root:

http://www.w3.org/2000/09/xmldsig#DSAKeyValue
ds:DSAKeyValue, see section 4.4.2.1 of [XMLDSIG-CORE] .
http://www.w3.org/2000/09/xmldsig#RSAKeyValue
ds:RSAKeyValue, see section 4.4.2.2 of [XMLDSIG-CORE] .
http://www.w3.org/2000/09/xmldsig#X509Data
ds:X509Data, see section 4.4.4 of [XMLDSIG-CORE] .
http://www.w3.org/2000/09/xmldsig#PGPData
ds:PGPData, see section 4.4.5 of [XMLDSIG-CORE] .
http://www.w3.org/2000/09/xmldsig#SPKIData
ds:SPKIData, see section 4.4.6 of [XMLDSIG-CORE] .
http://www.w3.org/2000/09/xmldsig#MgmtData
ds:MgmtData, see section 4.4.7 of [XMLDSIG-CORE] .
http://www.w3.org/2001/04/xmldsig-more#KeyValue
ds:KeyValue, see section 4.4.2 of [XMLDSIG-CORE] .
http://www.w3.org/2001/04/xmldsig-more#RetrievalMethod
ds:RetrievalMethod, see section 4.4.3 of [XMLDSIG-CORE] .
http://www.w3.org/2001/04/xmldsig-more#KeyName
ds:KeyName, see section 4.4.1 of [XMLDSIG-CORE] .
http://www.w3.org/2001/04/xmldsig-more#PKCS7signedData
dsigmore:PKCS7signedData, see section 3.1 of [RFC6931] .
http://www.w3.org/2009/xmldsig11#ECKeyValue
dsig11:ECKeyValue, see section 4.5.2.3 of [XMLDSIG-CORE1] .
http://www.w3.org/2009/xmldsig11#DEREncodedKeyValue
dsig11:DEREncodedKeyValue, see section 4.5.9 of [XMLDSIG-CORE1] .

The following Type values identify the type of raw binary data:

http://www.w3.org/2001/04/xmldsig-more#rawX509CRL
http://www.w3.org/2001/04/xmldsig-more#rawPGPKeyPacket
http://www.w3.org/2001/04/xmldsig-more#rawSPKISexp
http://www.w3.org/2001/04/xmldsig-more#rawPKCS7signedData
http://www.w3.org/2000/09/xmldsig#rawX509Certificate

A. References

Dated references below are to the latest known or appropriate edition of the referenced work. The referenced works may be subject to revision, and conformant implementations may follow, and are encouraged to investigate the appropriateness of following, some or all more recent editions or replacements of the works cited. It is in each case implementation-defined which editions are supported.

A.1 Informative references

[HMAC]
H. Krawczyk, M. Bellare, R. Canetti. HMAC: Keyed-Hashing for Message Authentication. February 1997. IETF RFC 2104. URL: http://www.ietf.org/rfc/rfc2104.txt
[RFC6931]
D. Eastlake. Additional XML Security Uniform Resource Identifiers (URIs). IETF RFC 6931. April 2013. URL: https://datatracker.ietf.org/doc/rfc6931/
[XKMS2]
Shivaram H. Mysore; Phillip Hallam-Baker. XML Key Management Specification (XKMS 2.0). 28 June 2005. W3C Recommendation. URL: http://www.w3.org/TR/2005/REC-xkms2-20050628/
[XML-C14N]
John Boyer. Canonical XML Version 1.0. 15 March 2001. W3C Recommendation. URL: http://www.w3.org/TR/2001/REC-xml-c14n-20010315
[XML-C14N11]
John Boyer; Glenn Marcy. Canonical XML Version 1.1. 2 May 2008. W3C Recommendation. URL: http://www.w3.org/TR/2008/REC-xml-c14n11-20080502/
[XML-C14N20]
John Boyer; Glen Marcy; Pratik Datta; Frederick Hirsch. Canonical XML Version 2.0. 11 April 2013. W3C Working Group Note. URL: http://www.w3.org/TR/2013/NOTE-xml-c14n2-20130411/
[XML-EXC-C14N]
Donald E. Eastlake 3rd; Joseph Reagle; John Boyer. Exclusive XML Canonicalization Version 1.0. 18 July 2002. W3C Recommendation. URL: http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/
[XMLDSIG-CORE]
Joseph Reagle et al. XML Signature Syntax and Processing (Second Edition). 10 June 2008. W3C Recommendation. URL: http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/
[XMLDSIG-CORE1]
D. Eastlake; J. Reagle; D. Solo; F. Hirsch; T. Roessler; K. Yiu. XML Signature Syntax and Processing Version 1.1. 11 April 2013. W3C Recommendation. URL: http://www.w3.org/TR/2013/REC-xmldsig-core1-20130411/
[XMLDSIG-CORE2002]
Joseph Reagle et al. XML Signature Syntax and Processing. 12 February 2002. W3C Recommendation. URL: http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
[XMLDSIG-XPATH-FILTER2]
Merlin Hughes; John Boyer; Joseph Reagle. XML-Signature XPath Filter 2.0. 8 November 2002. W3C Recommendation. URL: http://www.w3.org/TR/2002/REC-xmldsig-filter2-20021108/
[XMLENC-CORE]
Donald Eastlake; Joseph Reagle. XML Encryption Syntax and Processing. 10 December 2002. W3C Recommendation. URL: http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/
[XMLENC-CORE1]
J. Reagle; D. Eastlake; F. Hirsch; T. Roessler. XML Encryption Syntax and Processing Version 1.1. 11 April 2013. W3C Recommendation. URL: http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/
[XMLENC-DECRYPT]
Takeshi Imamura; Merlin Hughes; Hiroshi Maruyama. Decryption Transform for XML Signature. 10 December 2002. W3C Recommendation. URL: http://www.w3.org/TR/2002/REC-xmlenc-decrypt-20021210
[XMLSEC-GHCIPHERS]
Magnus Nyström; Frederick Hirsch. XML Security Generic Hybrid Ciphers. 11 April 2013. W3C Working Group Note. URL: http://www.w3.org/TR/2013/NOTE-xmlsec-generic-hybrid-20130411/