W3C

Using XML Digital Signatures in the 2006 XML Environment

W3C Working Draft 15 September 2006

This version:
http://www.w3.org/TR/2006/WD-DSig-usage-20060915/
Latest version:
http://www.w3.org/TR/DSig-usage/
Editor:
Thomas Roessler, W3C

Abstract

This technical note describes how to use the XML Digital Signature Recommendation [XMLDSIG] in a way consistent with the present (fall 2006) XML environment. In particular, this note takes into account the recent xml:id Version 1.0 [XMLID] and Canonical XML Version 1.1 [C14N11] Recommendations.

This note suggests constraints on the use of XML Signature, and relies on extension points present in the XML Digital Signature Recommendation. This note does not override any aspect of that Recommendation.

Status of this Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.

This is the W3C First Public Working Draft of "XML Signatures in the 2006 XML Environment", produced by the XML Core Working Group, as part of the XML Activity. A companion note, "Known Issues with Canonical XML 1.0 (C14N/1.0)" [C14NNOTE], discusses in detail some of the issues related to the inheritance of certain XML attributes and the Canonical XML Recommendation 1.0 [C14N10].

Once all the comments about this document will have been addressed, the Working Group intends to publish a final version of this document as a W3C Working Group Note.

Please send comments related to this document to www-xml-canonicalization-comments@w3.org (public archive).

Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.


Short Table of Contents

1. Overview
2. Use of Canonical XML 1.1 with XML Signatures
3. Algorithm Identifiers
4. References
5. Acknowledgments


Table of Contents

1. Overview
2. Use of Canonical XML 1.1 with XML Signatures
    2.1 Use Canonical XML 1.1 Instead Of Canonical XML 1.0
    2.2 Explicitly Canonicalize All Node-Sets
3. Algorithm Identifiers
4. References
5. Acknowledgments

Appendix


1. Overview

This technical note describes how to use the XML Digital Signature Recommendation [XMLDSIG] in a way consistent with the present (fall 2006) XML environment. In particular, this note takes into account the recent xml:id Version 1.0 [XMLID] and Canonical XML Version 1.1 [C14N11] Recommendations.

This note suggests constraints on the use of XML Digital Signature, and relies on extension points present in the XML Digital Signature Recommendation. This note does not override any aspect of that Recommendation.

2. Use of Canonical XML 1.1 with XML Signatures

Canonical XML 1.1 [C14N11] revisits assumptions made in the original Canonical XML specification [C14N10], and that have subsequently been invalidated by further developments in the XML area. In particular, the transformations specified in [C14N11] can be safely applied in the presence of attributes such as xml:id [XMLID] and xml:base [XMLBASE].

2.1 Use Canonical XML 1.1 Instead Of Canonical XML 1.0

Implementations MUST NOT apply the Canonical XML 1.0 transformations to nodesets that contain xml:id or xml:base elements. Implementations SHOULD apply Canonical XML 1.1 to such nodesets.

Where canonicalization algorithms are identified by URI, the Canonical XML 1.1 algorithms SHOULD be identified using the algorithm URIs defined in section 3 of this note.

2.2 Explicitly Canonicalize All Node-Sets

The Reference Processing Model (section 4.3.3.2 of [XMLDSIG]) requires use of the Canonical XML algorithm if a data object is a node set and the next transform requires octets.

When constructing the chain of transforms that is applied to a given data object, implementations MUST NOT rely on this default algorithm to convert node-sets to octet streams. Instead, implementations SHOULD:

  • add an explicit <ds:Transform> element referencing http://www.w3.org/TR/2006/WD-xml-c14n11-20060915/ before each Transform that expects an octet-stream, but is applied to a node-set;
  • add an explicit <ds:Transform> element referencing http://www.w3.org/TR/2006/WD-xml-c14n11-20060915/ as the final Transform, if the last transformation generates a node-set.

Implementations MAY apply other transformation algorithms that convert node-sets to octet streams.

3. Algorithm Identifiers

This section identifies additional algorithms used with the XML digital signature specification.

Algorithms are identified by URIs that appear as an attribute to the element that identifies the algorithms' role (DigestMethod, Transform, SignatureMethod, or CanonicalizationMethod).

Identifiers
Canonical XML 1.1 (omits comments)
http://www.w3.org/TR/2006/WD-xml-c14n11-20060915/
Canonical XML 1.1 with comments
http://www.w3.org/TR/2006/WD-xml-c14n11-20060915/#WithComments

The normative specification of Canonical XML 1.1 is [C14N11]. The algorithm is capable of taking as input either an octet stream or an XPath node-set (or sufficiently functional alternative). The algorithm produces an octet stream as output. Canonical XML 1.1 is easily parameterized (via an additional URI) to omit or retain comments.

4. References

[C14N10]
Canonical XML Version 1.0, J. Boyer. W3C Recommendation, 15 March 2001, http://www.w3.org/TR/xml-c14n (Errata).
[C14N11]
Canonical XML Version 1.1, J. Boyer, G. Marcy. Working Draft, 15 September 2006, http://www.w3.org/TR/2006/WD-xml-c14n11-20060915/ (Errata).
[C14NNOTE]
Known Issues with Canonical XML 1.0, J. Kahan, K. Lanz. W3C Draft Working Group Note, 15 September 2006, http://www.w3.org/TR/2006/WD-C14N-issues-20060915/
[XMLBASE]
XML Base , J. Marsh. W3C Recommendation, 27 June 2001, http://www.w3.org/TR/xmlbase/.
[XMLID]
xml:id Version 1.0 , J. Marsh, D. Veillard, N. Walsh. W3C Recommendation,9 September 2005, http://www.w3.org/TR/xml-id/.
[XMLDSIG]
XML-Signature Syntax and Processing, D. Eastlake, J. R., D. Solo, M. Bartel, J. Boyer , B. Fox , E. Simon. W3C Recommendation, 12 February 2002, http://www.w3.org/TR/xmldsig-core/.

5. Acknowledgments

This note is based on based on input from John Boyer, Roy Fielding, Philippe Le Hegaret, José Kahan, Konrad Lanz, Larry Masinter, Henry Thompson, the members of the XML Core Working Group, and the members of the xml-dsig mailing list.