Functional Explanation of Changes in XML Signature 1.1

W3C Working Group Note 18 October 2012

This version:
Latest published version:
Latest editor's draft:
Previous version:
Frederick Hirsch


This document provides a summary of non-editorial changes in XML Signature 1.1 from the XML Signature Second Edition Recommendation.

Status of This Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.

In the case of any difference between this document and the XML Signature 1.1 specification [XMLDSIG-CORE1], the XML Signature 1.1 specification is authoritative.

This document was published by the XML Security Working Group as a First Public Working Group Note. If you wish to make comments regarding this document, please send them to public-xmlsec@w3.org (subscribe, archives). All feedback is welcome.

Publication as a Working Group Note does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

Table of Contents

1. Introduction

This document summarizes non-editorial changes in XML Signature 1.1 from the XML Signature Second Edition Recommendation.

2. Changes

2.1 Algorithms Added

For all algorithms added, algorithm identifiers and information were added to the specification.

2.2 Algorithms Changed

2.3 Other Algorithm-related Changes

2.4 KeyInfo Changes

2.4.1 General Changes

  • required support of KeyValue formats for DSA, RSA (required now, no longer recommended), and ECDSA
  • Add new KeyInfo child elements with corresponding URIs
    • ECKeyValue, ECParameters
    • DEREncodedKeyValue
  • Add sections on how to use additional KeyInfo child elements
    • Describe use of XML Encryption EncryptedKey and DerivedKey Elements
    • Add DEREncodedKeyValue - new representation for public keys
    • Add KeyInfoReference - alternative to RetrievalMethod access to a KeyInfo element that does not require use of a Transform
  • Clarify for RetrievalMethod that a Transform is needed to obtain content of KeyInfo referenced by ID
  • Encourage use of new KeyInfoReference element instead of RetrievalMethod
  • Added profile of RFC 4050 with respect to ECDSA key formats.

2.4.2 X509Data Changes

  • Support revocation checking by adding dsig11:OCSPResponse to list of elements that may be included
  • Add dsig11:X509Digest to list of elements that may be included, to support reference via base64-encoded digest of a certificate
  • Add that the recommended certificate encoding is BER or DER subset.
  • Deprecate and add note regarding use of X509IssuerSerial and possible issue with schema validation when large serial numbers are used.
  • Add note about the need to sign entire structure as a unit when using X509Data in explicitly trusted scenarios.

2.5 Clarifications

2.6 Security Considerations Changes

2.7 Other Changes

A. References

A.1 Informative references

D. Eastlake, J. Reagle, D. Solo, F. Hirsch, T. Roessler, K. Yiu. XML Signature Syntax and Processing Version 1.1. 18 October 2012. W3C Last Call Working Draft. (Work in progress) URL: http://www.w3.org/TR/2012/WD-xmldsig-core1-20121018/