XML Encryption 1.1 CipherReference Processing using 2.0 Transforms

W3C Working Group Note 11 April 2013

This version:
Latest published version:
Latest editor's draft:
Previous version:
Frederick Hirsch , frederick.hirsch@nokia.com


This document informative W3C Working Group Note describes specifies how the XML Signature 2.0 transform model may be used with XML Encryption 1.1 for CipherReference processing.

Status of This Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.

This is a W3C Candidate Recommendation Working Draft of "XML Encryption 1.1 CipherReference Processing using 2.0 Transforms". The W3C publishes a Candidate Recommendation to indicate that the document is believed to be stable and to encourage implementation by the developer community. The XML Security Working Group expects has agreed not to request that the Director advance progress this document to Proposed XML Signature Streaming Profile of XPath 1.0 specification further as a Recommendation once the track document, electing to publish it as an informative Working Group has verified two interoperable implementations of the Candidate Recommendation. Note. The XML Security Working Group does has not have an estimate of when this will be achieved. There is no preliminary performed interop or implementation report. There have been no changes since testing on the previous Last Call Working Draft. material in this document.

No features Other than publishing as a W3C Working Group Note, the only changes since the last publication have been marked as "at risk". to update the abstract to clarify the status and to update the references ( diff ).

This document was published by the XML Security Working Group as a Candidate Recommendation. This document is intended to become a W3C Recommendation. Working Group Note. If you wish to make comments regarding this document, please send them to public-xmlsec@w3.org ( subscribe , archives ). W3C publishes a Candidate Recommendation to indicate that the document is believed to be stable and to encourage implementation by the developer community. This Candidate Recommendation is expected to advance to Proposed Recommendation no earlier than 20 April 2012. All feedback is comments are welcome.

Publication as a Candidate Recommendation Working Group Note does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy . W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy .

Table of Contents

1. Introduction

This section is non-normative.

This document specifies how the XML Signature 2.0 transform model may be used with XML Encryption 1.1 for CipherReference processing. The XML Signature 2.0 [ XMLDSIG-CORE2 ] Transform processing model offers simplification to the XML Encryption 1.1 [ XMLENC-CORE1 ] CipherReference transform processing model.

The current model in XML Encryption 1.1 is that a CipherReference element specifies a URI attribute for obtaining content and may also optionally apply further transforms through the use of one or more Transform elements contained in a Transforms child of the CipherReference . The example in XML Encryption 1.1 shows use of an XPath transform to select a specific element within an XML document and then a base64 transform to decode the base64 to octets (two 1.1 transforms are applied).

This document is only applicable when transforms are applied in XML Encryption 1.1 to obtain cipher content, however this may be frequent when base64 decoding is required.

The 2.0 Transform model has a single fixed transform that supports a selection element, enabling the CipherReference processing model to be simplified (the 2.0 model also has other features that are not discussed in this document). The overall set of simplifications are as follows:

  1. Use the 2.0 Transform dsig2:Selection element with a URL attribute value that specifies the source of the cipher value, using XML fragments as appropriate. In the XML Encryption 1.1 example this removes the need for an XPath transform.

  2. Process the content retrieved from the URL source appropriately, as defined according to the dsig2:Selection Algorithm attribute. The type defined for base64 content encoded in XML is appropriate to the example in XML Encryption 1.1.

This approach entirely eliminates the use of transforms, apart from the backwardly-compatible mechanism of using the 2.0 Transform element to enable use of the 2.0 selection mechanism.

2. Example

This section is non-normative.

This example corresponds to the example shown in section 3.3.1 of XML Encryption 1.1 .

  <CipherReference URI="">
      <ds:Transform Algorithm="http://www.w3.org/2010/xmldsig2#transform">

3. Version recognition

Use of 2.0 transform processing can be recognized by examination of the Algorithm attribute value on the Transform element and seeing that it is the 2.0 value defined in XML Signature 2.0: "http://www.w3.org/2010/xmldsig2#transform" .

This document is only applicable if it has a compatible value (this value or later).

4. CipherReference Processing with 2.0 Transform Model

CipherReference processing with the 2.0 transform model is only performed if the CipherReference element has a Transforms child element with a Transform child having an Algorithm attribute value consistent with 2.0 processing. The only current such value is "http://www.w3.org/2010/xmldsig2#transform" .

If this is the case, it is an error if there is more than one Transforms child element of the CipherReference element or if there is more than one Transform child element of the Transforms element.

The dsig2:Selection element must MUST be present as a child of the single Transform element. The URI attribute of the dsig2:Selection element must MUST specify the source for the cipher data (and for content from within XML should specify the fragment if necessary, see 10.6.1 Selection of XML Documents or Fragments of XML Signature 2.0 for details)

If the cipher data is base64 encoded content within an XML source, the http://www.w3.org/2010/xmldsig2#binaryfromBase64 algorithm identifier must MUST be specified as the dsig2:Selection Algorithm attribute value.

If the cipher data is binary (and not base64 encoded) content from the URI source, the http://www.w3.org/2010/xmldsig2#binaryExternal algorithm identifier must MUST be specified as the dsig2:Selection Algorithm attribute value.

No other Algorithm attribute value should be used.

5. Schema

This document specifies no change to the schema definition of the CipherReference element defined in XML Encryption 1.1, but the URI attribute of this element is ignored when the 2.0 transform processing model is used as described in this document.

A. References

Dated references below are to the latest known or appropriate edition of the referenced work. The referenced works may be subject to revision, and conformant implementations may follow, and are encouraged to investigate the appropriateness of following, some or all more recent editions or replacements of the works cited. It is in each case implementation-defined which editions are supported.

A.1 Normative references

Mark Bartel; John Boyer; Barb Fox et al. D. Eastlake; J. Reagle; D. Solo; F. Hirsch; T. Roessler; K. Yiu; P. Datta; S. Cantor. XML Signature Syntax and Processing Version 2.0 . 24 January 2012. 11 April 2013. W3C Candidate Recommendation. (Work in progress.) Working Group Note. URL: http://www.w3.org/TR/2012/CR-xmldsig-core2-20120124/ http://www.w3.org/TR/2013/NOTE-xmldsig-core2-20130411/
J. Reagle; D. Eastlake; F. Hirsch; T. Roessler. XML Encryption Syntax and Processing Version 1.1. 1.1 13 March 2012. . 11 April 2013. W3C Candidate Recommendation. (Work in progress.) URL: http://www.w3.org/TR/2012/CR-xmlenc-core1-20120313/ http://www.w3.org/TR/2013/REC-xmlenc-core1-20130411/
A.2 Informative references No informative references.