index.html
14.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title>Using XML Digital Signatures in the 2006 XML
Environment</title><style type="text/css">
code { font-family: monospace; }
div.constraint,
div.issue,
div.note,
div.notice { margin-left: 2em; }
dt.label { display: run-in; }
li, p { margin-top: 0.3em;
margin-bottom: 0.3em; }
div.assertion { border: 4px double gray; padding: 0.5em; margin-bottom: 0.2em; }
blockquote { background-color: #eeeeee; }
spectext { background-color: #eeeeee; }
.message { background-color: #d5dee3; }
pre { margin-left: 4em}
p.diff-chg,
li.diff-chg,
h1.diff-chg,
h2.diff-chg,
h3.diff-chg,
h4.diff-chg,
h5.diff-chg,
h6.diff-chg,
td.diff-chg,
tr.diff-chg { background-color: #E47833; }
p.diff-del,
li.diff-del,
h1.diff-del,
h2.diff-del,
h3.diff-del,
h4.diff-del,
h5.diff-del,
h6.diff-del,
td.diff-del,
tr.diff-del { background-color: red; text-decoration: line-through;}
p.diff-add,
p.diff-add,
h1.diff-add,
h2.diff-add,
h3.diff-add,
h4.diff-add,
h5.diff-add,
h6.diff-add,
td.diff-add,
tr.diff-add { background-color: lime; }
table { empty-cells: show; }
div.exampleInner pre { margin-left: 1em;
margin-top: 0em; margin-bottom: 0em}
div.exampleOuter {border: 4px double gray;
margin: 0em; padding: 0em}
div.exampleInner { background-color: #d5dee3;
border-top-width: 4px;
border-top-style: double;
border-top-color: #d3d3d3;
border-bottom-width: 4px;
border-bottom-style: double;
border-bottom-color: #d3d3d3;
padding: 4px; margin: 0em }
div.exampleWrapper { margin: 4px }
div.exampleHeader { font-weight: bold;
margin: 4px}
div.table,
div.figure {margin-top: 2em;
margin-bottom: 2em;
text-align: center; }
</style><link rel="stylesheet" type="text/css" href="http://www.w3.org/StyleSheets/TR/W3C-WG-NOTE.css"></head><body>
<div class="head"><p><a href="http://www.w3.org/"><img height="48" width="72" alt="W3C" src="http://www.w3.org/Icons/w3c_home"></a></p>
<h1>Using XML Digital Signatures in the 2006 XML
Environment</h1>
<h2>W3C Working Group Note 20 December 2006</h2><dl><dt>This version:</dt><dd><a href="http://www.w3.org/TR/2006/NOTE-DSig-usage-20061220/">http://www.w3.org/TR/2006/NOTE-DSig-usage-20061220/</a></dd><dt>Latest version:</dt><dd><a href="http://www.w3.org/TR/DSig-usage/">http://www.w3.org/TR/DSig-usage/</a></dd><dt>Previous versions:</dt><dd><a href="http://www.w3.org/TR/2006/WD-DSig-usage-20060915/">http://www.w3.org/TR/2006/WD-DSig-usage-20060915/</a></dd><dt>Editor:</dt>
<dd>Thomas Roessler, <a href="http://www.w3.org/">W3C</a></dd>
</dl><p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> ©2006 <a href="http://www.w3.org/"><acronym title="World Wide Web Consortium">W3C</acronym></a><sup>®</sup>(<a href="http://www.csail.mit.edu/"><acronym title="Massachusetts Institute of Technology">MIT</acronym></a>, <a href="http://www.ercim.org/"><acronym title="European Research Consortium for Informatics and Mathematics">ERCIM</acronym></a>, <a href="http://www.keio.ac.jp/">Keio</a>), All Rights Reserved. W3C <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply.</p></div><hr><div>
<h2><a name="abstract">Abstract</a></h2>
<p>This technical note describes how to use the XML Digital Signature
Recommendation [<a href="#XMLDSIG">XMLDSIG</a>] in a way consistent
with the present (fall 2006) XML environment. In particular, this
note takes into account the recent xml:id Version 1.0 [<a href="#XMLID">XMLID</a>] Recommendation, and work in progress towards
a Canonical XML Version 1.1 [<a href="#C14N11">C14N11</a>]
Recommendation.</p>
<p>This note suggests constraints on the use of XML Signature, and
relies on extension points present in the XML Digital Signature
Recommendation. This note does not override any aspect of that
Recommendation.</p>
</div><div>
<h2><a name="status">Status of this Document</a></h2>
<p><em>This section describes the status of this document at the time of its
publication. Other documents may supersede this document. A list of current
W3C publications and the latest revision of this technical report can be
found in the <a href="http://www.w3.org/TR/" shape="rect">W3C technical
reports index</a> at http://www.w3.org/TR/.</em></p>
<p>This document was developed by the <a href="http://www.w3.org/XML/Core/" shape="rect">XML Core Working Group</a>, as part of the <a href="http://www.w3.org/XML/Activity">XML Activity</a>. A companion
Note, "Known Issues with Canonical XML 1.0 (C14N/1.0)" [<a href="#C14NNOTE" shape="rect">C14NNOTE</a>], discusses in detail some
of the issues related to the inheritance of certain XML attributes and
the Canonical XML Recommendation 1.0 [<a href="#C14N10">C14N10</a>].
</p>
<p>Please send comments related to this document to <a href="mailto:www-xml-canonicalization-comments@w3.org" shape="rect">www-xml-canonicalization-comments@w3.org</a> (<a href="http://lists.w3.org/Archives/Public/www-xml-canonicalization-comments/" shape="rect">public archive</a>).</p>
<p>Publication as a Working Group Note does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.</p>
<p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/" shape="rect">5 February 2004 W3C Patent Policy</a>. W3C maintains a <a rel="disclosure" href="http://www.w3.org/2002/08/xmlcore-IPR-statements">public list of
any patent disclosures</a> made in connection with the deliverables of
the group; that page also includes instructions for disclosing a
patent. An individual who has actual knowledge of a patent which the
individual believes contains <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential
Claim(s)</a> must disclose the information in accordance with <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section
6 of the W3C Patent Policy</a>.</p>
</div>
<hr><div class="toc">
<h2><a name="shortcontents">Short Table of Contents</a></h2><p class="toc">1. <a href="#Overview">Overview</a><br>2. <a href="#c14n11">Use of Canonical XML 1.1 with XML Signatures</a><br>3. <a href="#Algorithms">Algorithm Identifiers</a><br>4. <a href="#Ref">References</a><br>5. <a href="#Ack">Acknowledgments</a><br></p></div><hr><div class="toc">
<h2><a name="contents">Table of Contents</a></h2><p class="toc">1. <a href="#Overview">Overview</a><br>2. <a href="#c14n11">Use of Canonical XML 1.1 with XML Signatures</a><br> 2.1 <a href="#changeuri">Use Canonical XML 1.1 Instead Of Canonical XML 1.0</a><br> 2.2 <a href="#implicit">Explicitly Canonicalize All Node-Sets</a><br>3. <a href="#Algorithms">Algorithm Identifiers</a><br>4. <a href="#Ref">References</a><br>5. <a href="#Ack">Acknowledgments</a><br></p>
<h3><a name="appendix" id="appendix">Appendix</a></h3><p class="toc"></p></div><hr><div class="body">
<div class="div1">
<h2><a name="Overview"></a>1. Overview</h2>
<p>This technical note describes how to use the XML Digital
Signature Recommendation [<a href="#XMLDSIG">XMLDSIG</a>] in a way
consistent with the present (fall 2006) XML environment. In
particular, this note takes into account the recent xml:id Version
1.0 [<a href="#XMLID">XMLID</a>] Recommendation, and work in
progress towards a Canonical XML 1.1
[<a href="#C14N11">C14N11</a>] Recommendation.</p>
<p>This note suggests constraints on the use of XML Digital
Signature, and relies on extension points present in the XML Digital
Signature Recommendation. This note does not override any aspect of
that Recommendation.</p>
</div>
<div class="div1">
<h2><a name="c14n11"></a>2. Use of Canonical XML 1.1 with XML Signatures</h2>
<p>
Canonical XML 1.1 [<a href="#C14N11">C14N11</a>] revisits
assumptions made in the original Canonical XML specification [<a href="#C14N10">C14N10</a>], and that have subsequently been
invalidated by further developments in the XML area. In
particular, the transformations specified in [<a href="#C14N11">C14N11</a>] can be safely applied in the presence
of attributes such as <code>xml:id</code> [<a href="#XMLID">XMLID</a>] and
<code>xml:base</code> [<a href="#XMLBASE">XMLBASE</a>].
</p>
<div class="div2">
<h3><a name="changeuri"></a>2.1 Use Canonical XML 1.1 Instead Of Canonical XML 1.0</h3>
<p>
Implementations MUST NOT apply the Canonical XML 1.0
transformations to nodesets that contain <code>xml:id</code> or
<code>xml:base</code> elements. Implementations SHOULD apply
Canonical XML 1.1 to such nodesets.
</p>
<p>
Where canonicalization algorithms are identified by URI, the
Canonical XML 1.1 algorithms SHOULD be identified using the
algorithm URIs defined in <a href="#Algorithms">section 3</a> of
this note.
</p>
</div>
<div class="div2">
<h3><a name="implicit"></a>2.2 Explicitly Canonicalize All Node-Sets</h3>
<p>
The Reference Processing Model (<a href="http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel">section
4.3.3.2</a> of [<a href="#XMLDSIG">XMLDSIG</a>]) requires use of
the Canonical XML algorithm if a data object is a node set and
the next transform requires octets.
</p>
<p>
When constructing the chain of transforms that is applied to a
given data object, implementations MUST NOT rely on this default
algorithm to convert node-sets to octet streams. Instead,
implementations SHOULD:
</p>
<ul>
<li>
add an explicit <code><ds:Transform></code> element
referencing <code>http://www.w3.org/2006/12/xml-c14n11</code> before each
<code>Transform</code> that expects an octet-stream, but is
applied to a node-set;
</li>
<li>
add an explicit <code><ds:Transform></code> element
referencing <code>http://www.w3.org/2006/12/xml-c14n11</code> as the final
<code>Transform</code>, if the last transformation generates a
node-set.
</li>
</ul>
<p>
Implementations MAY apply other transformation algorithms that
convert node-sets to octet streams.
</p>
</div>
</div>
<div class="div1">
<h2><a name="Algorithms"></a>3. Algorithm Identifiers</h2>
<p>
This section identifies additional algorithms used with the XML
digital signature specification.
</p>
<p>
Algorithms are identified by URIs that appear as an attribute to
the element that identifies the algorithms' role
(<code>DigestMethod</code>, <code>Transform</code>,
<code>SignatureMethod</code>, or
<code>CanonicalizationMethod</code>).
</p>
<p>
</p><dl>
<dt class="label">Identifiers</dt>
<dd>Canonical XML 1.1 (omits comments)<br>
<a href="http://www.w3.org/2006/12/xml-c14n11">http://www.w3.org/2006/12/xml-c14n11</a></dd>
<dd>Canonical XML 1.1 with comments<br>
<a href="http://www.w3.org/2006/12/xml-c14n11#WithComments">http://www.w3.org/2006/12/xml-c14n11#WithComments</a></dd>
</dl><p>
</p>
<p>
The specification of Canonical XML 1.1 is [<a href="#C14N11">C14N11</a>]. The algorithm is capable of taking as
input either an octet stream or an XPath node-set (or sufficiently
functional alternative). The algorithm produces an octet stream as
output. Canonical XML 1.1 is easily parameterized (via an additional
URI) to omit or retain comments.
</p>
</div>
<div class="div1">
<h2><a name="Ref"></a>4. References</h2>
<dl>
<dt class="label"><a name="C14N10"></a>[C14N10] </dt><dd>
<a href="http://www.w3.org/TR/xml-c14n"><cite>Canonical XML
Version 1.0</cite></a>, J. Boyer. W3C Recommendation, 15 March 2001,
<a href="http://www.w3.org/TR/xml-c14n">http://www.w3.org/TR/xml-c14n</a>
(<a href="http://www.w3.org/2001/03/C14N-errata">Errata</a>).
</dd>
<dt class="label"><a name="C14N11"></a>[C14N11] </dt><dd>
<a href="http://www.w3.org/TR/2006/WD-xml-c14n11-20061220/"><cite>Canonical XML
Version 1.1</cite></a>, J. Boyer, G. Marcy. Working Draft, 20 December 2006,
<a href="http://www.w3.org/TR/2006/WD-xml-c14n11-20061220/">http://www.w3.org/TR/2006/WD-xml-c14n11-20061220/</a>
(<a href="http://www.w3.org/2001/03/C14N-errata">Errata</a>).
</dd>
<dt class="label"><a name="C14NNOTE"></a>[C14NNOTE] </dt><dd>
<a href="http://www.w3.org/TR/2006/NOTE-C14N-issues-20061220/"><cite>Known
Issues with Canonical XML 1.0</cite></a>, J. Kahan, K. Lanz. W3C
Working Group Note, 20 December 2006, <a href="http://www.w3.org/TR/2006/NOTE-C14N-issues-20061220/">http://www.w3.org/TR/2006/NOTE-C14N-issues-20061220/</a>
</dd>
<dt class="label"><a name="XMLBASE"></a>[XMLBASE] </dt><dd>
<a href="http://www.w3.org/TR/2001/REC-xmlbase-20010627/"><cite>XML Base
</cite></a>, J. Marsh. W3C Recommendation, 27 June 2001,
<a href="http://www.w3.org/TR/xmlbase/">http://www.w3.org/TR/xmlbase/</a>.
</dd>
<dt class="label"><a name="XMLID"></a>[XMLID] </dt><dd>
<a href="http://www.w3.org/TR/xml-id/"><cite>xml:id Version 1.0
</cite></a>, J. Marsh, D. Veillard, N. Walsh. W3C Recommendation, 9 September 2005,
<a href="http://www.w3.org/TR/xml-id/">http://www.w3.org/TR/xml-id/</a>.
</dd>
<dt class="label"><a name="XMLDSIG"></a>[XMLDSIG] </dt><dd><a href="http://www.w3.org/TR/xmldsig-core/"><cite>XML-Signature Syntax and
Processing</cite></a>, D. Eastlake, J. R., D. Solo, M. Bartel,
J. Boyer , B. Fox , E. Simon. W3C Recommendation, 12 February
2002, <a href="http://www.w3.org/TR/xmldsig-core/">http://www.w3.org/TR/xmldsig-core/</a>.
</dd>
</dl>
</div>
<div class="div1">
<h2><a name="Ack"></a>5. Acknowledgments</h2>
<p>
This note is based on based on input from John Boyer, Roy Fielding,
Philippe Le Hegaret, José Kahan, Konrad Lanz, Larry Masinter, Henry
Thompson, the members of the XML Core Working Group, and the members
of the xml-dsig mailing list.
</p>
</div>
</div>
<div class="back">
</div>
</body></html>