New XML Signature draft offers alternate algorithm
17:22, 29 Apr 2002 UTC | Simon St.Laurent

The W3C and IETF have published XML-Signature XPath Filter 2.0, which offers "a new XML Signature transform to facilitate the development of efficient document subsetting technologies that interoperate under similar performance profiles."

This new specification:

"describes a new signature filter transform that, like the XPath transform, provides a method for computing a portion of a document to be signed. In the interest of simplifying the creation of efficient implementations, the architecture of this transform is not based on evaluating an XPath expression for every node of the XML parse tree (as defined by the XPath data model). Instead, the XPath expression in this transform is used to identify a set of nodes that, along with all nodes having an ancestor in the identified set, is used to transform the input node set by set intersection, subtraction, or union."

It also appears to be designed with envelope strategies in mind:

"Consider the motivating scenario where an application wishes to affix two enveloped signatures to the document; any other change to the document must cause the signatures to be invalid. When the application creates the first signature that signature is automatically omitted from its own digest calculations. However, it will also be necessary to exclude the subsequent (second) signature element from the digest calculations of the first signature. This specification can be used to efficiently satisfy this requirement using the set subtraction operation."

The working group appears to be planning on quick work - "We hope to move to and through Last Call and then Candidate Recommendation very quickly." Comments may be sent to w3c-ietf-xmldsig@w3.org.

Related stories:

xmlhack: developer news from the XML community

Front page | Search | Find XML jobs

Related categories