This document provides a summary of non-editorial changes in XML Signature 1.1 from the XML Signature Second Edition Recommendation.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
In the case of any difference between this document and the XML Signature 1.1 specification [XMLDSIG-CORE1], the XML Signature 1.1 specification is authoritative.
This Note has been updated since the previous publication to remove
the text stating that
OCSPResponse was added to XML Signature 1.1,
as it has been removed from XML Signature 1.1. References have also
been updated (diff).
This document was published by the XML Security Working Group as a Working Group Note. If you wish to make comments regarding this document, please send them to firstname.lastname@example.org (subscribe, archives). All comments are welcome.
Publication as a Working Group Note does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
This document summarizes non-editorial changes in XML Signature 1.1 from the XML Signature Second Edition Recommendation.
For all algorithms added, algorithm identifiers and information were added to the specification.
SHA-1but allow it for compatibility
SHA-1use is DISCOURAGED (but support is still REQUIRED).
SHA-1to state that use is DISCOURAGED (but still REQUIRED).
HMAC-SHA1to state that use is DISCOURAGED
DSAwithSHA1is only REQUIRED as Signature algorithm for Signature verification, but is OPTIONAL for Signature generation. Previously it was REQUIRED for both.
HMAC-SHA512to RECOMMENDED (from OPTIONAL).
DEREncodedKeyValue- new representation for public keys
KeyInfoReference- alternative to
RetrievalMethodaccess to a
KeyInfoelement that does not require use of a
Transformis needed to obtain content of
KeyInfoReferenceelement instead of
dsig11:X509Digestto list of elements that may be included, to support reference via base64-encoded digest of a certificate
X509IssuerSerialand possible issue with schema validation when large serial numbers are used.
X509Datain explicitly trusted scenarios.
Referencevalidation since changes could occur in serialization after
SHA-256in preference to