IETF Logo W3C Logo

Author: Joseph Reagle

Audience: WWW9 W3C Track

Question: Overview of XML DSig

References:

  1. /TR/2000/WD-xmldsig-core-20000510/ [completed last call]
    /internet-drafts/draft-ietf-xmldsig-core-06.txt http://www.w3.org/TR/1999//WD-xmldsig-requirements-19991014 [Going to InfoRFC] http://www.ietf.org/internet-drafts/draft-ietf-xmldsig-requirements-02.txt

XML Signature

Joseph M. Reagle Jr.
<reagle@w3.org>

IETF/W3C XML Signature Co-Chair
W3C/LCS/MIT

Status

Design Principles/Goal

  1. The specification must describe how to use XML syntax to represent a signature over digital content (and XML content in particular).
  2. XML-signatures are generated from a hash over a list of references and the digest value of the references' content.
  3. The meaning of a signature is simple:  The XML-signature syntax associates the content of resources listed with a key via a strong one-way transformation.

Design Overview

<Signature> 
  <SignedInfo>
    (CanonicalizationMethod)?
    (SignatureMethod)
    <Reference (URI=)? >
      (Transforms)?
      (DigestMethod)
      (DigestValue)
    </Reference>)+
  </SignedInfo>
  (SignatureValue) 
 (KeyInfo)?
 (Object)*
</Signature>

Design Example

[s01] <Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/02/xmldsig#"> 
[s02]   <SignedInfo> 
[s03]     <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000119"/> 
[s04]     <SignatureMethod Algorithm="http://www.w3.org/2000/02/xmldsig#dsa"/> 
[s05]     <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> 
[s06]       <Transforms> 
[s07]         <Transform Algorithm="http://www.w3.org/2000/02/xmldsig#c14n"/> 
[s08]       </Transforms> 
[s09]       <DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"/> 
[s10]       <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> 
[s11]     </Reference> 
[s12]   </SignedInfo> 
[s13]   <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> 
      ...
[s17] </Signature>

Features of Design

KeyInfo

[s14]   <KeyInfo>
[s15a]    <KeyValue>
[s15b]      <DSAKeyValue>
[s15c]         <P>...</P><Q>...</Q><G>...</G><Y>...</Y>
[s15d]      </DSAKeyValue>
[s15e]    </KeyValue>
[s16]   </KeyInfo>

Objects

[p00] <Signature Id="MySecondSignature" ...> 
[p01]  <SignedInfo> ...
[p02]   <Reference URI="http://www.w3.org/TR/xml-stylesheet/">... 
[p03]   <Reference URI=" #AMadeUpTimeStamp "  
[p04]         Type="http://www.w3.org/2000/02/xmldsig#SignatureProperty">...
[p08]  </SignedInfo>  
[p09]  ...  
[p10]  <Object> 
[p11]   <SignatureProperties Id="AMadeUpTimeStamp"> 
[p12]     <SignatureProperty Target=" #MySecondSignature "> 
[p13]        <timestamp xmlns="http://www.ietf.org/rfcXXXX.txt">  
[p14]          <date>19990908</date>  
[p15]          <time>14:34:34:34</time>  
[p16]        </timestamp>  
[p17]     </SignatureProperty> 
[p18]   </SignatureProperties> 
[p19]  </Object>  
[p20]</Signature>

Algorithms

[s04]   <SignatureMethod Algorithm="http://www.w3.org/2000/02/xmldsig#dsa"/>

Type Algorithm Requirements Algorithm URI
Digest SHA1 REQUIRED http://www.w3.org/2000/02/xmldsig#sha1
Encoding Base64 REQUIRED http://www.w3.org/2000/02/xmldsig#base64 
MAC HMAC-SHA1 REQUIRED http://www.w3.org/2000/02/xmldsig#hmac-sha1
Signature DSAwithSHA1
(DSS)		 REQUIRED http://www.w3.org/2000/02/xmldsig#dsa
Canonicalization XML-
Canonicalization		 REQUIRED http://www.w3.org/TR/1999/WD-xml-c14n-19991115
Others XPath RECOMMENDED http://www.w3.org/TR/1999/REC-xpath-19991116

Near Future