Changes in XML Signature Syntax and Processing (Second Edition)

Thomas Roessler <>
$Date: 2008/03/14 22:37:54 $

Status of this Document

This document summarizes the changes that the XML Security Specifications Maintenance Group has made to the XML Signature Syntax and Processing Specification in preparing a proposed second edition.

Discussion of Changes

Cover page

Updated to 2nd edition, updated status of the document section, added Frederick Hirsch and Thomas Roesssler as editors.

Removed "-" from title, changing "XML-Signature" to "XML Signature"

1.3 Versions

Updated normative reference for SHA-1 to FIPS 180-2.

Section 2.1 Simple Examples

Example updated to use C14N 1.1; digest values removed to avoid impression that example could serve as a useful test case.

Section 2.1.1 More on References


Section 2.2 Extended Example

Example updated to use C14N 1.1 by way of Transforms element; digest value removed; lines in example and references to them renumbered.

Section 2.3 Extended Example


Section 3.1.1 Reference Generation

Added material to RECOMMEND C14N 1.1 if inclusive canonicalization is desired, and explain its use through Transforms element.

Section The URI Attribute

Clarified specification language to match its intent; referring to XML Schema part 2, 2nd Edition for encoding rules.

Removed "MUST be able to parse URI syntax", as it is not a testable conformance requirement.

Clarified role of Type attribute per erratum E05.

Section The Reference Processing Model

Added a pointer to Section 3.1.1 to draw attention to handling of default canonicalization algorithms.

Defined same-document reference consistent with RFC 2396 to avoid conformance-affecting side effects from change of normative reference to RFC 3986.

Rephrased xpointer-related parts of reference processing model in terms of the XPointer Framework Recommendation; the model was phrased in terms of the failed 2001 XPointer Candidate Recommendation.

Defined REQUIRED xpointer() scheme xpointers explicitly, since xpointer() scheme is not a Recommendation. (cf XML Coordination Group discussion [member confidential].)

Added clarification of change in specification text.

Section Same-Document URI References

Rephrased specification language in terms of the XPointer Framework Recommendation.

Section The Transforms Element

Corrected document-internal link to section 6.6.

Section 4.4.3 The RetrievalMethod Element

Clarified role of Type attribute per erratum E05.

Added note on discrepancy between schema and DTD. While the DTD is correct (and the schema wrong), the group resolved to keep the schema intact.

Section 4.4.4 The X509Data Element
Section, Distinguished Name Encoding Rules

Updated normative reference from RFC 2253 to RFC 4514.

Clarified requirements on content of X509IssuerSerial and X509SubjectName elements.

Clarified conformance requirements in section

Clarified additional encoding rules.

This change addresses erratum E01, but goes beyond the changes proposed there.

Section 4.5 The Object Element

Correction of example per E06.

Section 6.1 Algorithm Identifiers and Implementation Requirements

Added Canonical XML 1.1 as Required, Canonical XML 1.1 with Comments as Recommended.

Section 6.2.1

Update SHA-1 link to point to FIPS-180-2.

Section 6.4.2 PKCS1 (RSA-SHA1)

Editorial change per E07.

Section 6.5 Canonicalization Algorithms

Editorial changes.

Discussion of C14N 1.1 vs C14N 1.0

Clarification of normal form output from canonicalization algorithms per E04.

Added note per E02 to point out existence of exclusive canonicalization, with editorial changes to cover C14N 1.1.

Section 6.5.1 Canonical XML 1.0

Renamed from "Canonical XML" to "Canonical XML 1.0"; corresponding change in body of section.

Section 6.5.2 Canonical XML 1.1

New section.

Section 6.6.2 Base64

Change "barename" to "shortname" to use terminology from XPointer Framework Recommendation.

Section 6.6.3 XPath

Change "barename" to "shortname" to use terminology from XPointer Framework Recommendation.

Add pointer to XPath Filter 2.0 Recommendation per E03.

11.0 References

Updates to implement changes outlined above.

Updated normative reference for SHA-1 to point to FIPS PUB 180-2 instead of FIPS PUB 180-1.

Updated normative reference for DSA to point to current version of FIPS PUB 186-2.