Tech-invite3GPPspecsGlossariesIETFRFCsGroupsSIPABNFsWorld Map

RFC 3075


XML-Signature Syntax and Processing

Part 3 of 3, p. 44 to 64
Prev RFC Part


prevText      Top       Page 44 
6.6 Transform Algorithms

   A Transform algorithm has a single implicit parameters: an octet
   stream from the Reference or the output of an earlier Transform.

   Application developers are strongly encouraged to support all
   transforms listed in this section as RECOMMENDED unless the
   application environment has resource constraints that would make such
   support impractical.  Compliance with this recommendation will
   maximize application interoperability and libraries should be
   available to enable support of these transforms in applications
   without extensive development.

6.6.1 Canonicalization

   Any canonicalization algorithm that can be used for
   CanonicalizationMethod (such as those in  Canonicalization Algorithms
   (section 6.5)) can be used as a Transform.

6.6.2 Base64


   The normative specification for base 64 decoding transforms is
   [MIME].  The base64 Transform element has no content.  The input is
   decoded by the algorithms.  This transform is useful if an
   application needs to sign the raw data associated with the encoded
   content of an element.

   This transform requires an octet stream for input.  If an XPath
   node-set (or sufficiently functional alternative) is given as input,
   then it is converted to an octet stream by performing operations
   logically equivalent to 1) applying an XPath transform with
   expression self::text(), then 2) taking the string-value of the
   node-set.  Thus, if an XML element is identified by a barename
   XPointer in the Reference URI, and its content consists solely of
   base64 encoded character data, then this transform automatically

Top       Page 45 
   strips away the start and end tags of the identified element and any
   of its descendant elements as well as any descendant comments and
   processing instructions.  The output of this transform is an octet

6.6.3 XPath Filtering


   The normative specification for XPath expression evaluation is
   [XPath].  The XPath expression to be evaluated appears as the
   character content of a transform parameter child element named XPath.

   The input required by this transform is an XPath node-set.  Note that
   if the actual input is an XPath node-set resulting from a null URI or
   barename XPointer dereference, then comment nodes will have been
   omitted.  If the actual input is an octet stream, then the
   application MUST convert the octet stream to an XPath node-set
   suitable for use by Canonical XML with Comments (a subsequent
   application of the REQUIRED Canonical XML algorithm would strip away
   these comments).  In other words, the input node-set should be
   equivalent to the one that would be created by the following process:

   1. Initialize an XPath evaluation context by setting the initial node
      equal to the input XML document's root node, and set the context
      position and size to 1.
   2. Evaluate the XPath expression (//. | //@* | //namespace::*)

   The evaluation of this expression includes all of the document's
   nodes (including comments) in the node-set representing the octet

   The transform output is also an XPath node-set.  The XPath expression
   appearing in the XPath parameter is evaluated once for each node in
   the input node-set.  The result is converted to a boolean.  If the
   boolean is true, then the node is included in the output node-set.
   If the boolean is false, then the node is omitted from the output

   Note: Even if the input node-set has had comments removed, the
   comment nodes still exist in the underlying parse tree and can
   separate text nodes.  For example, the markup <e>Hello, <!-- comment
   --> world!</e> contains two text nodes.  Therefore, the expression
   self::text()[string()="Hello, world!"] would fail.  Should this
   problem arise in the application, it can be solved by either
   canonicalizing the document before the XPath transform to physically

Top       Page 46 
   remove the comments or by matching the node based on the parent
   element's string value (e.g., by using the expression
   self::text()[string(parent::e)="Hello, world!"]).

   The primary purpose of this transform is to ensure that only
   specifically defined changes to the input XML document are permitted
   after the signature is affixed.  This is done by omitting precisely
   those nodes that are allowed to change once the signature is affixed,
   and including all other input nodes in the output.  It is the
   responsibility of the XPath expression author to include all nodes
   whose change could affect the interpretation of the transform output
   in the application context.

   An important scenario would be a document requiring two enveloped
   signatures.  Each signature must omit itself from its own digest
   calculations, but it is also necessary to exclude the second
   signature element from the digest calculations of the first signature
   so that adding the second signature does not break the first

   The XPath transform establishes the following evaluation context for
   each node of the input node-set:

      *  A context node equal to a node of the input node-set.
      *  A context position, initialized to 1.
      *  A context size, initialized to 1.
      *  A library of functions equal to the function set defined in
         XPath plus a function named here.
      *  A set of variable bindings.  No means for initializing these is
         defined.  Thus, the set of variable bindings used when
         evaluating the XPath expression is empty, and use of a variable
         reference in the XPath expression results in an error.
      *  The set of namespace declarations in scope for the XPath

   As a result of the context node setting, the XPath expressions
   appearing in this transform will be quite similar to those used in
   used in [XSLT], except that the size and position are always 1 to
   reflect the fact that the transform is automatically visiting every
   node (in XSLT, one recursively calls the command apply-templates to
   visit the nodes of the input tree).

   The function here() is defined as follows:

   Function: node-set here()

   The here function returns a node-set containing the attribute or
   processing instruction node or the parent element of the text node

Top       Page 47 
   that directly bears the XPath expression.  This expression results in
   an error if the containing XPath expression does not appear in the
   same XML document against which the XPath expression is being

   Note: The function definition for here() is intended to be consistent
   with its definition in XPointer.  However, some minor differences are
   presently being discussed between the Working Groups.

   As an example, consider creating an enveloped signature (a Signature
   element that is a descendant of an element being signed).  Although
   the signed content should not be changed after signing, the elements
   within the Signature element are changing (e.g., the digest value
   must be put inside the DigestValue and the SignatureValue must be
   subsequently calculated).  One way to prevent these changes from
   invalidating the digest value in DigestValue is to add an XPath
   Transform that omits all Signature elements and their descendants.
   For example,

   <Signature xmlns="&dsig;">
       <Reference URI="">
             <XPath xmlns:dsig="&dsig;">

   Due to the null Reference URI in this example, the XPath transform
   input node-set contains all nodes in the entire parse tree starting
   at the root node (except the comment nodes).  For each node in this
   node-set, the node is included in the output node-set except if the
   node or one of its ancestors has a tag of Signature that is in the
   namespace given by the replacement text for the entity &dsig;.

Top       Page 48 
   A more elegant solution uses the here function to omit only the
   Signature containing the XPath Transform, thus allowing enveloped
   signatures to sign other signatures.  In the example above, use the
   XPath element:

      <XPath xmlns:dsig="&dsig;">
      count(ancestor-or-self::dsig:Signature |
      here()/ancestor::dsig:Signature[1]) >

   Since the XPath equality operator converts node sets to string values
   before comparison, we must instead use the XPath union operator (|).
   For each node of the document, the predicate expression is true if
   and only if the node-set containing the node and its Signature
   element ancestors does not include the enveloped Signature element
   containing the XPath expression (the union does not produce a larger
   set if the enveloped Signature element is in the node-set given by

6.6.4 Enveloped Signature Transform


   An enveloped signature transform T removes the whole Signature
   element containing T from the digest calculation of the Reference
   element containing T.  The entire string of characters used by an XML
   processor to match the Signature with the XML production element is
   removed.  The output of the transform is equivalent to the output
   that would result from replacing T with an XPath transform containing
   the following XPath parameter element:

      <XPath xmlns:dsig="&dsig;">
      count(ancestor-or-self::dsig:Signature |
      here()/ancestor::dsig:Signature[1]) >

   The input and output requirements of this transform are identical to
   those of the XPath transform.  Note that it is not necessary to use
   an XPath expression evaluator to create this transform.  However,
   this transform MUST produce output in exactly the same manner as the
   XPath transform parameterized by the XPath expression above.

6.6.5 XSLT Transform


Top       Page 49 
   The normative specification for XSL Transformations is [XSLT].  The
   XSL style sheet or transform to be evaluated appears as the character
   content of a transform parameter child element named XSLT.  The root
   element of a XSLT style sheet SHOULD be <xsl:stylesheet>.

   This transform requires an octet stream as input.  If the actual
   input is an XPath node-set, then the signature application should
   attempt to covert it to octets (apply Canonical XML]) as described in
   the Reference Processing Model (section

   The output of this transform is an octet stream.  The processing
   rules for the XSL style sheet or transform element are stated in the
   XSLT specification [XSLT].  We RECOMMEND that XSLT transformauthors
   use an output method of xml for XML and HTML.  As XSLT
   implementations do not produce consistent serializations of their
   output, we further RECOMMEND inserting a transformafter the XSLT
   transformto perform canonicalize the output.  These steps will help
   to ensure interoperability of the resulting signatures among
   applications that support the XSLT transform.  Note that if the
   output is actually HTML, then the result of these steps is logically
   equivalent [XHTML].

7.0 XML Canonicalization and Syntax Constraint Considerations

   Digital signatures only work if the verification calculations are
   performed on exactly the same bits as the signing calculations.  If
   the surface representation of the signed data can change between
   signing and verification, then some way to standardize the changeable
   aspect must be used before signing and verification.  For example,
   even for simple ASCII text there are at least three widely used line
   ending sequences.  If it is possible for signed text to be modified
   from one line ending convention to another between the time of
   signing and signature verification, then the line endings need to be
   canonicalized to a standard form before signing and verification or
   the signatures will break.

   XML is subject to surface representation changes and to processing
   which discards some surface information.  For this reason, XML
   digital signatures have a provision for indicating canonicalization
   methods in the signature so that a verifier can use the same
   canonicalization as the signer.

   Throughout this specification we distinguish between the
   canonicalization of a Signature element and other signed XML data
   objects.  It is possible for an isolated XML document to be treated
   as if it were binary data so that no changes can occur.  In that
   case, the digest of the document will not change and it need not be
   canonicalized if it is signed and verified as such.  However, XML

Top       Page 50 
   that is read and processed using standard XML parsing and processing
   techniques is frequently changed such that some of its surface
   representation information is lost or modified.  In particular, this
   will occur in many cases for the Signature and enclosed SignedInfo
   elements since they, and possibly an encompassing XML document, will
   be processed as XML.

   Similarly, these considerations apply to Manifest, Object, and
   SignatureProperties elements if those elements have been digested,
   their DigestValue is to be checked, and they are being processed as

   The kinds of changes in XML that may need to be canonicalized can be
   divided into three categories.  There are those related to the basic
   [XML], as described in 7.1 below.  There are those related to [DOM],
   [SAX], or similar processing as described in 7.2 below.  And, third,
   there is the possibility of coded character set conversion, such as
   between UTF-8 and UTF-16, both of which all [XML] compliant
   processors are required to support.

   Any canonicalization algorithm should yield output in a specific
   fixed coded character set.  For both the minimal canonicalization
   defined in this specification and Canonical XML [XML-C14N] that coded
   character set is UTF-8 (without a byte order mark (BOM)).Neither the
   minimal canonicalization nor the Canonical XML [XML-C14N] algorithms
   provide character normalization.  We RECOMMEND that signature
   applications create XML content (Signature elements and their
   descendents/content) in Normalization Form C [NFC] and check that any
   XML being consumed is in that form as well (if not, signatures may
   consequently fail to validate).  Additionally, none of these
   algorithms provide data type normalization.  Applications that
   normalize data types in varying formats (e.g., (true, false) or
   (1,0)) may not be able to validate each other's signatures.

7.1 XML 1.0, Syntax Constraints, and Canonicalization

   XML 1.0 [XML] defines an interface where a conformant application
   reading XML is given certain information from that XML and not other
   information.  In particular,

   1. line endings are normalized to the single character #xA by
      dropping #xD characters if they are immediately followed by a #xA
      and replacing them with #xA in all other cases,
   2. missing attributes declared to have default values are provided to
      the application as if present with the default value,
   3. character references are replaced with the corresponding

Top       Page 51 
   4. entity references are replaced with the corresponding declared
   5. attribute values are normalized by
      A. replacing character and entity references as above,
      B. replacing occurrences of #x9, #xA, and #xD with #x20 (space)
         except that the sequence #xD#xA is replaced by a single space,

      C. if the attribute is not declared to be CDATA, stripping all
         leading and trailing spaces and replacing all interior runs of
         spaces with a single space.

   Note that items (2), (4), and (5C) depend on the presence of a
   schema, DTD or similar declarations.  The Signature element type is
   laxly schema valid [XML-schema], consequently external XML or even
   XML within the same document as the signature may be (only) well
   formed or from another namespace (where permitted by the signature
   schema); the noted items may not be present.  Thus, a signature with
   such content will only be verifiable by other signature applications
   if the following syntax constraints are observed when generating any
   signed material including the SignedInfo element:

   1. attributes having default values be explicitly present,
   2. all entity references (except "amp", "lt", "gt", "apos", "quot",
      and other character entities not representable in the encoding
      chosen) be expanded,
   3. attribute value white space be normalized

7.2 DOM/SAX Processing and Canonicalization

   In addition to the canonicalization and syntax constraints discussed
   above, many XML applications use the Document Object Model [DOM] or
   The Simple API for XML [SAX].  DOM maps XML into a tree structure of
   nodes and typically assumes it will be used on an entire document
   with subsequent processing being done on this tree.  SAX converts XML
   into a series of events such as a start tag, content, etc.  In either
   case, many surface characteristics such as the ordering of attributes
   and insignificant white space within start/end tags is lost.  In
   addition, namespace declarations are mapped over the nodes to which
   they apply, losing the namespace prefixes in the source text and, in
   most cases, losing where namespace declarations appeared in the
   original instance.

   If an XML Signature is to be produced or verified on a system using
   the DOM or SAX processing, a canonical method is needed to serialize
   the relevant part of a DOM tree or sequence of SAX events.  XML
   canonicalization specifications, such as [XML-C14N], are based only
   on information which is preserved by DOM and SAX.  For an XML

Top       Page 52 
   Signature to be verifiable by an implementation using DOM or SAX, not
   only must the XML1.0 syntax constraints given in the previous section
   be followed but an appropriate XML canonicalization MUST be specified
   so that the verifier can re-serialize DOM/SAX mediated input into the
   same octect stream that was signed.

8.0 Security Considerations

   The XML Signature specification provides a very flexible digital
   signature mechanism.  Implementors must give consideration to their
   application threat models and to the following factors.

8.1 Transforms

   A requirement of this specification is to permit signatures to "apply
   to a part or totality of a XML document." (See [XML-Signature-RD,
   section 3.1.3].)  The Transforms mechanism meets this requirement by
   permitting one to sign data derived from processing the content of
   the identified resource.  For instance, applications that wish to
   sign a form, but permit users to enter limited field data without
   invalidating a previous signature on the form might use [XPath] to
   exclude those portions the user needs to change.  Transforms may be
   arbitrarily specified and may include encoding transforms,
   canonicalization instructions or even XSLT transformations.  Three
   cautions are raised with respect to this feature in the following

   Note, core validation behavior does not confirm that the signed data
   was obtained by applying each step of the indicated transforms.
   (Though it does check that the digest of the resulting content
   matches that specified in the signature.)  For example, some
   application may be satisfied with verifying an XML signature over a
   cached copy of already transformed data.  Other applications might
   require that content be freshly dereferenced and transformed.

8.1.1 Only What is Signed is Secure

   First, obviously, signatures over a transformed document do not
   secure any information discarded by transforms: only what is signed
   is secure.

   Note that the use of Canonical  XML [XML-C14N] ensures that all
   internal entities and XML namespaces are expanded within the content
   being signed.  All entities are replaced with their definitions and
   the canonical form explicitly represents the namespace that an
   element would otherwise inherit.  Applications that do not
   canonicalize XML content (especially the SignedInfo element) SHOULD

Top       Page 53 
   NOT use internal entities and SHOULD represent the namespace
   explicitly within the content being signed since they can not rely
   upon canonicalization to do this for them.

8.1.2 Only What is "Seen" Should be Signed

   Additionally, the signature secures any information introduced by the
   transform: only what is "seen" (that which is represented to the user
   via visual, auditory or other media) should be signed.  If signing is
   intended to convey the judgment or consent of a user (an automated
   mechanism or person), then it is normally necessary to secure as
   exactly as practical the information that was presented to that user.
   Note that this can be accomplished by literally signing what was
   presented, such as the screen images shown a user.  However, this may
   result in data which is difficult for subsequent software to
   manipulate.  Instead, one can sign the data along with whatever
   filters, style sheets, client profile or other information that
   affects its presentation.

8.1.3 "See" What is Signed

   Just as a user should only sign what it "sees," persons and automated
   mechanisms that trust the validity of a transformed document on the
   basis of a valid signature should operate over the data that was
   transformed (including canonicalization) and signed, not the original
   pre-transformed data.  This recommendation applies to transforms
   specified within the signature as well as those included as part of
   the document itself.  For instance, if an XML document includes an
   embedded style sheet [XSLT] it is the transformed document that that
   should be represented to the user and signed.  To meet this
   recommendation where a document references an external style sheet,
   the content of that external resource should also be signed as via a
   signature Reference -- otherwise the content of that external content
   might change which alters the resulting document without invalidating
   the signature.

   Some applications might operate over the original or intermediary
   data but should be extremely careful about potential weaknesses
   introduced between the original and transformed data.  This is a
   trust decision about the character and meaning of the transforms that
   an application needs to make with caution.  Consider a
   canonicalization algorithm that normalizes character case (lower to
   upper) or character composition ('e and accent' to 'accented-e').  An
   adversary could introduce changes that are normalized and
   consequently inconsequential to signature validity but material to a
   DOM processor.  For instance, by changing the case of a character one
   might influence the result of an XPath selection.  A serious risk is
   introduced if that change is normalized for signature validation but

Top       Page 54 
   the processor operates over the original data and returns a different
   result than intended.  Consequently, while we RECOMMEND all documents
   operated upon and generated by signature applications be in [NFC]
   (otherwise intermediate processors might unintentionally break the
   signature) encoding normalizations SHOULD NOT be done as part of a
   signature transform, or (to state it another way) if normalization
   does occur, the application SHOULD always "see" (operate over) the
   normalized form.

8.2 Check the Security Model

   This specification uses public key signatures and keyed hash
   authentication codes.  These have substantially different security
   models.  Furthermore, it permits user specified algorithms which may
   have other models.

   With public key signatures, any number of parties can hold the public
   key and verify signatures while only the parties with the private key
   can create signatures.  The number of holders of the private key
   should be minimized and preferably be one.  Confidence by verifiers
   in the public key they are using and its binding to the entity or
   capabilities represented by the corresponding private key is an
   important issue, usually addressed by certificate or online authority

   Keyed hash authentication codes, based on secret keys, are typically
   much more efficient in terms of the computational effort required but
   have the characteristic that all verifiers need to have possession of
   the same key as the signer.  Thus any verifier can forge signatures.

   This specification permits user provided signature algorithms and
   keying information designators.  Such user provided algorithms may
   have different security models.  For example, methods involving
   biometrics usually depend on a physical characteristic of the
   authorized user that can not be changed the way public or secret keys
   can be and may have other security model differences.

8.3 Algorithms, Key Lengths, Certificates, Etc.

   The strength of a particular signature depends on all links in the
   security chain.  This includes the signature and digest algorithms
   used, the strength of the key generation [RANDOM] and the size of the
   key, the security of key and certificate authentication and
   distribution mechanisms, certificate chain validation policy,
   protection of cryptographic processing from hostile observation and
   tampering, etc.

Top       Page 55 
   Care must be exercised by applications in executing the various
   algorithms that may be specified in an XML signature and in the
   processing of any "executable content" that might be provided to such
   algorithms as parameters, such as XSLT transforms.  The algorithms
   specified in this document will usually be implemented via a trusted
   library but even there perverse parameters might cause unacceptable
   processing or memory demand.  Even more care may be warranted with
   application defined algorithms.

   The security of an overall system will also depend on the security
   and integrity of its operating procedures, its personnel, and on the
   administrative enforcement of those procedures.  All the factors
   listed in this section are important to the overall security of a
   system; however, most are beyond the scope of this specification.

9.0 Schema, DTD, Data Model, and Valid Examples

   XML Signature Schema Instance
           core-schema.xsd   Valid XML schema instance based on the
         20000922 Schema/DTD [XML-Schema].

   XML Signature DTD

   RDF Data Model

   XML Signature Object Example
           example.xml   A cryptographical invalid XML example that
         includes foreign content and validates under the schema.  (It
         validates under the DTD when the foreign content is removed or
         the DTD is modified accordingly).

   RSA XML Signature Example
         An XML Signature example with generated cryptographic values by
            Merlin Hughes and validated by Gregor Karlinger.

   DSA XML Signature Example
           example-dsa.xml   Similar to above but uses DSA.

Top       Page 56 
10.0 Definitions

   Authentication Code
         A value generated from the application of a shared key to a
         message via a cryptographic algorithm such that it has the
         properties of message authentication (integrity) but not signer

   Authentication, Message
         "A signature should identify what is signed, making it
         impracticable to falsify or alter either the signed matter or
         the signature without detection." [Digital Signature
         Guidelines, ABA]

   Authentication, Signer
         "A signature should indicate who signed a document, message or
         record, and should be difficult for another person to produce
         without authorization." [Digital Signature Guidelines, ABA]

         The syntax and processing defined by this specification,
         including core validation.  We use this term to distinguish
         other markup, processing, and applications semantics from our

   Data Object (Content/Document)
         The actual binary/octet data being operated on (transformed,
         digested, or signed) by an application -- frequently an HTTP
         entity [HTTP].  Note that the proper noun Object designates a
         specific XML element.  Occasionally we refer to a data object
         as a document or as a resource's content.  The term element
         content is used to describe the data between XML start and end
         tags [XML].  The term XML document is used to describe data
         objects which conform to the XML specification [XML].

         The inability to change a message without also changing the
         signature value.  See message authentication.

         An XML Signature element wherein arbitrary (non-core) data may
         be placed.  An Object element is merely one type of digital
         data (or document) that can be signed via a Reference.

         "A resource can be anything that has identity.  Familiar
         examples include an electronic document, an image, a service
         (e.g., 'today's weather report for Los Angeles'), and a

Top       Page 57 
         collection of other resources....  The resource is the
         conceptual mapping to an entity or set of entities, not
         necessarily the entity which corresponds to that mapping at any
         particular instance in time.  Thus, a resource can remain
         constant even when its content---the entities to which it
         currently corresponds---changes over time, provided that the
         conceptual mapping is not changed in the process." [URI] In
         order to avoid a collision of the term entity within the URI
         and XML specifications, we use the term data object, content or
         document to refer to the actual bits being operated upon.

         Formally speaking, a value generated from the application of a
         private key to a message via a cryptographic algorithm such
         that it has the properties of signer authentication and message
         authentication (integrity).  (However, we sometimes use the
         term signature generically such that it encompasses
         Authentication Code values as well, but we are careful to make
         the distinction when the property of signer authentication is
         relevant to the exposition.)  A signature may be (non-
         exclusively) described as detached, enveloping, or enveloped.

   Signature, Application
         An application that implements the MANDATORY (REQUIRED/MUST)
         portions of this specification; these conformance requirements
         are over the structure of the Signature element type and its
         children (including SignatureValue) and mandatory to support

   Signature, Detached
         The signature is over content external to the Signature
         element, and can be identified via a URI or transform.
         Consequently, the signature is "detached" from the content it
         signs.  This definition typically applies to separate data
         objects, but it also includes the instance where the Signature
         and data object reside within the same XML document but are
         sibling elements.

   Signature, Enveloping
         The signature is over content found within an Object element of
         the signature itself.  The Object(or its content) is identified
         via a Reference (via a URI fragment identifier or transform).

   Signature, Enveloped
         The signature is over the XML content that contains the
         signature as an element.  The content provides the root XML

Top       Page 58 
         document element.  Obviously, enveloped signatures must take
         care not to include their own value in the calculation of the

         The processing of a octet stream from source content to derived
         content.  Typical transforms include XML Canonicalization,
         XPath, and XSLT.

   Validation, Core
         The core processing requirements of this specification
         requiring signature validation and SignedInfo reference

   Validation, Reference
         The hash value of the identified and transformed content,
         specified by Reference, matches its specified DigestValue.

   Validation, Signature
         The SignatureValue matches the result of processing SignedInfo
         with  CanonicalizationMethod and SignatureMethod as specified
         in Core Validation (section 3.2).

   Validation, Trust/Application
         The application determines that the semantics associated with a
         signature are valid.  For example, an application may validate
         the time stamps or the integrity of the signer key -- though
         this behavior is external to this core specification.

11.0 References

   ABA               Digital Signature Guidelines.

   Bourret           Declaring Elements and Attributes in an XML DTD.
                     Ron Bourret.  http://www.informatik.tu-

   DOM               Document Object Model (DOM) Level 1 Specification.
                     W3C Recommendation. V. Apparao, S. Byrne, M.
                     Champion, S. Isaacs, I. Jacobs, A. Le Hors, G.
                     Nicol, J. Robie, R. Sutor, C. Wilson, L. Wood.
                     October 1998.

Top       Page 59 
   DSS               FIPS PUB 186-1. Digital Signature Standard (DSS).
                     U.S. Department of Commerce/National Institute of
                     Standards and Technology.

   HMAC              Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:
                     Keyed-Hashing for Message Authentication", RFC
                     2104, February 1997.

   HTTP              Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
                     Masinter, L., Leach, P. and T. Berners-Lee,
                     "Hypertext Transfer Protocol -- HTTP/1.1", RFC
                     2616, June 1999.

   KEYWORDS          Bradner, S., "Key words for use in RFCs to Indicate
                     Requirement Levels", BCP 14, RFC 2119, March 1997.

   LDAP-DN           Wahl, M., Kille, S. and T. Howes, "Lightweight
                     Directory Access Protocol (v3): UTF-8 String
                     Representation of Distinguished Names", RFC 2253,
                     December 1997.

   MD5               Rivest, R., "The MD5 Message-Digest Algorithm", RFC
                     1321, April 1992.

   MIME              Freed, N. and N. Borenstein, "Multipurpose Internet
                     Mail Extensions (MIME) Part One: Format of Internet
                     Message Bodies", RFC 2045, November 1996.

   NFC               TR15. Unicode Normalization Forms. M. Davis, M.
                     Drst. Revision 18: November 1999.

   PGP               Callas, J., Donnerhacke, L., Finney, H. and R.
                     Thayer, "OpenPGP Message Format", November 1998.

   RANDOM            Eastlake, D., Crocker, S. and J. Schiller,
                     "Randomness Recommendations for Security", RFC
                     1750, December 1994.

Top       Page 60 
   RDF               RDF Schema W3C Candidate Recommendation. D.
                     Brickley, R.V. Guha. March 2000.
                     RDF Model and Syntax W3C Recommendation. O.
                     Lassila, R. Swick. February 1999.

   1363              IEEE 1363: Standard Specifications for Public Key
                     Cryptography.  August 2000.

   PKCS1             Kaliski, B. and J. Staddon, "PKCS #1: RSA
                     Cryptography Specifications Version 2.0", RFC 2437,
                     October 1998.

   SAX               SAX: The Simple API for XML David Megginson et. al.
                     May 1998.

   SHA-1             FIPS PUB 180-1. Secure Hash Standard. U.S.
                     Department of Commerce/National Institute of
                     Standards and Technology.

   Unicode           The Unicode Consortium. The Unicode Standard.

   UTF-16            Hoffman, P. and F. Yergeau, "UTF-16, an encoding of
                     ISO 10646", RFC 2781, February 2000.

   UTF-8             Yergeau, F., "UTF-8, a transformation format of ISO
                     10646", RFC 2279, January 1998.

   URI               Berners-Lee, T., Fielding, R. and L. Masinter,
                     "Uniform Resource Identifiers (URI): Generic
                     Syntax", RFC 2396, August 1998.

   URI-Literal       Hinden, R., Carpenter, B. and L. Masinter, "Format
                     for Literal IPv6 Addresses in URL's", RFC 2732,
                     December 1999.

   URL               Berners-Lee, T., Masinter, L. and M. McCahill,
                     "Uniform Resource Locators (URL)", RFC 1738,
                     December 1994.

Top       Page 61 
   URN               Moats, R., "URN Syntax" RFC 2141, May 1997.

                     Daigle, L., van Gulik, D., Iannella, R. and P.
                     Faltstrom, "URN Namespace Definition Mechanisms",
                     RFC 2611, June 1999.

   X509v3            ITU-T Recommendation X.509 version 3 (1997).
                     "Information Technology - Open Systems
                     Interconnection - The Directory Authentication
                     Framework" ISO/IEC 9594-8:1997.

   XHTML 1.0         XHTML(tm) 1.0: The Extensible Hypertext Markup
                     Language Recommendation. S. Pemberton, D. Raggett,
                     et. al. January 2000.

   XLink             XML Linking Language. Working Draft. S. DeRose, D.
                     Orchard, B. Trafford. July 1999.

   XML               Extensible Markup Language (XML) 1.0
                     Recommendation. T. Bray, J. Paoli, C. M. Sperberg-
                     McQueen. February 1998.

   XML-C14N          J. Boyer, "Canonical XML Version 1.0", RFC 3076,
                     September 2000.

   XML-Japanese      XML Japanese Profile. W3C NOTE. M. MURATA April

   XML-MT            Whitehead, E. and M. Murata, "XML Media Types",
                     July 1998.

   XML-ns            Namespaces in XML Recommendation. T. Bray, D.
                     Hollander, A. Layman. Janury 1999.

   XML-schema        XML Schema Part 1: Structures Working Draft. D.
                     Beech, M. Maloney, N. Mendelshohn. September 2000.

Top       Page 62 
                     XML Schema Part 2: Datatypes Working Draft. P.
                     Biron, A. Malhotra. September 2000.

   XML-Signature-RD  Reagle, J., "XML Signature Requirements", RFC 2907,
                     April 2000.

   XPath             XML Path Language (XPath)Version 1.0.
                     Recommendation. J. Clark, S. DeRose. October 1999.

   XPointer          XML Pointer Language (XPointer). Candidate
                     Recommendation. S. DeRose, R. Daniel, E. Maler.

   XSL               Extensible Stylesheet Language (XSL) Working Draft.
                     S. Adler, A. Berglund, J. Caruso, S. Deach, P.
                     Grosso, E. Gutentag, A. Milowski, S. Parnell, J.
                     Richman, S. Zilles. March 2000.

   XSLT              XSL Transforms (XSLT) Version 1.0. Recommendation.
                     J. Clark. November 1999.

Top       Page 63 
12. Authors' Addresses

   Donald E. Eastlake 3rd
   Motorola, Mail Stop: M2-450
   20 Forbes Boulevard
   Mansfield, MA 02048 USA

   Phone: 1-508-261-5434

   Joseph M. Reagle Jr., W3C
   Massachusetts Institute of Technology
   Laboratory for Computer Science
   NE43-350, 545 Technology Square
   Cambridge, MA 02139

   Phone: 1.617.258.7621

   David Solo
   909 Third Ave, 16th Floor
   NY, NY 10043 USA

   Phone: +1-212-559-2900

Top       Page 64 
13. Full Copyright Statement

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an


   Funding for the RFC Editor function is currently provided by the
   Internet Society.