Copyright © 2011 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.
This document specifies how the XML Signature 2.0 transform model
may be used with XML Encryption 1.1 for CipherReference
processing.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
This document summarizes the changes necessary to allow XML Encryption to use the transform model introduced in XML Signature 2.0. At some point the contents of this document may be incorporated into an XML Encryption 2.0 document, but are currently separate to highlight the limited set of changes, enabling easier review.
This document was published by the XML Security Working Group as a First Public Working Draft. This document is intended to become a W3C Recommendation. If you wish to make comments regarding this document, please send them to public-xmlsec@w3.org (subscribe, archives). All feedback is welcome.
Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
This section is non-normative.
The XML Signature 2.0 [XMLDSIG-CORE2] Transform processing model offers
simplification to the
XML Encryption 1.1 [XMLENC-CORE1] CipherReference
transform
processing model.
The current model in XML Encryption 1.1 is that
a CipherReference
element
specifies a URI
attribute for obtaining content and may
also optionally apply further
transforms through the use of one or more Transform
elements
contained in a Transforms
child of
the CipherReference
. The example in XML Encryption 1.1
shows use of an XPath
transform to select
a specific element within an XML document and then a base64 transform to
decode the base64 to octets (two 1.1 transforms are applied).
This document is only applicable when transforms are applied in XML Encryption 1.1 to obtain cipher content, however this may be frequent when base64 decoding is required.
The 2.0 Transform model has a single fixed transform that supports a
selection element, enabling the CipherReference
processing model to be simplified (the 2.0 model also has other
features that are
not discussed in this document). The overall set of simplifications
are as
follows:
Use the 2.0 Transform dsig2:Selection
element with
a URL
attribute value that specifies the source of
the cipher value, using XML fragments as
appropriate. In the XML Encryption 1.1 example this removes the
need for an XPath transform.
Process the content retrieved from the URL source appropriately, as
defined according to the dsig2:Selection
Algorithm
attribute. The type defined for base64 content
encoded in XML is appropriate to the example in XML Encryption 1.1.
This approach entirely eliminates the use of transforms, apart from
the backwardly-compatible mechanism of using the
2.0 Transform
element to
enable use of the 2.0 selection mechanism.
This section is non-normative.
This example corresponds to the example shown in section 3.3.1 of XML Encryption 1.1.
<CipherReference URI=""> <Transforms> <ds:Transform Algorithm="http://www.w3.org/2010/xmldsig2#transform"> <dsig2:Selection URI="http://www.example.com/CipherValues.xml#example1" Algorithm="http://www.w3.org/2010/xmldsig2#binaryfromBase64" xmlns:dsig2="http://www.w3.org/2010/xmldsig2#"> </dsig2:Selection> </ds:Transform> </Transforms> </CipherReference>
Use of 2.0 transform processing can be recognized by examination of
the Algorithm
attribute value on
the Transform
element and seeing
that it is the 2.0 value defined in XML Signature 2.0:
"http://www.w3.org/2010/xmldsig2#transform"
.
This document is only applicable if it has a compatible value (this value or later).
CipherReference
Processing with 2.0 Transform Model
CipherReference
processing with the 2.0 transform model
is only performed if the CipherReference
element has
a Transforms
child element with a Transform
child having an Algorithm
attribute value consistent with 2.0
processing. The only current such value is
"http://www.w3.org/2010/xmldsig2#transform"
.
If this is the case, it is an error if there is more than
one Transforms
child element of
the CipherReference
element or if there is more than
one
Transform
child element of
the Transforms
element.
The dsig2:Selection
element must be present as a child of
the single
Transform
element.
The URI
attribute of the dsig2:Selection
element must specify the
source for
the cipher data (and for content from within XML should specify the
fragment if necessary, see 10.6.1 Selection of XML Documents or
Fragments of XML Signature 2.0 for details)
If the cipher data is base64 encoded content within an XML source, the
http://www.w3.org/2010/xmldsig2#binaryfromBase64
algorithm identifier
must be specified as the dsig2:Selection
Algorithm
attribute value.
If the cipher data is binary (and not base64 encoded) content from the
URI source, the http://www.w3.org/2010/xmldsig2#binaryExternal
algorithm identifier must be specified as the dsig2:Selection
Algorithm
attribute value.
No other Algorithm
attribute value should be used.
This document specifies no change to the schema definition of
the CipherReference
element defined in XML
Encryption 1.1, but the URI
attribute of this element is
ignored when the 2.0 transform processing model is used as described
in this document.
Dated references below are to the latest known or appropriate edition of the referenced work. The referenced works may be subject to revision, and conformant implementations may follow, and are encouraged to investigate the appropriateness of following, some or all more recent editions or replacements of the works cited. It is in each case implementation-defined which editions are supported.
No informative references.