Showing content from https://www.rfc-editor.org/rfc/rfc3275.txt below:
Network Working Group D. Eastlake 3rd Request for Comments: 3275 Motorola Obsoletes: 3075 J. Reagle Category: Standards Track W3C D. Solo Citigroup March 2002 (Extensible Markup Language) XML-Signature Syntax and Processing Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (c) 2002 The Internet Society & W3C (MIT, INRIA, Keio), All Rights Reserved. Abstract This document specifies XML (Extensible Markup Language) digital signature processing rules and syntax. XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere. Table of Contents 1. Introduction................................................... 3 1.1 Editorial and Conformance Conventions......................... 4 1.2 Design Philosophy............................................. 4 1.3 Versions, Namespaces and Identifiers.......................... 4 1.4 Acknowledgements.............................................. 6 1.5 W3C Status.................................................... 6 2. Signature Overview and Examples................................ 7 2.1 Simple Example (Signature, SignedInfo, Methods, and References) 8 2.1.1 More on Reference........................................... 9 2.2 Extended Example (Object and SignatureProperty)............... 10 2.3 Extended Example (Object and Manifest)........................ 12 3.0 Processing Rules.............................................. 13 3.1 Core Generation............................................... 13 3.1.1 Reference Generation........................................ 13 Eastlake, et al. Standards Track [Page 1] RFC 3275 XML-Signature Syntax and Processing March 2002 3.1.2 Signature Generation........................................ 13 3.2 Core Validation............................................... 14 3.2.1 Reference Validation........................................ 14 3.2.2 Signature Validation........................................ 15 4.0 Core Signature Syntax......................................... 15 4.0.1 The ds:CryptoBinary Simple Type............................. 17 4.1 The Signature element......................................... 17 4.2 The SignatureValue Element.................................... 18 4.3 The SignedInfo Element........................................ 18 4.3.1 The CanonicalizationMethod Element.......................... 19 4.3.2 The SignatureMethod Element................................. 21 4.3.3 The Reference Element....................................... 21 4.3.3.1 The URI Attribute......................................... 22 4.3.3.2 The Reference Processing Model............................ 23 4.3.3.3 Same-Document URI-References.............................. 25 4.3.3.4 The Transforms Element.................................... 26 4.3.3.5 The DigestMethod Element.................................. 28 4.3.3.6 The DigestValue Element................................... 28 4.4 The KeyInfo Element........................................... 29 4.4.1 The KeyName Element......................................... 31 4.4.2 The KeyValue Element........................................ 31 4.4.2.1 The DSAKeyValue Element................................... 32 4.4.2.2 The RSAKeyValue Element................................... 33 4.4.3 The RetrievalMethod Element................................. 34 4.4.4 The X509Data Element........................................ 35 4.4.5 The PGPData Element......................................... 38 4.4.6 The SPKIData Element........................................ 39 4.4.7 The MgmtData Element........................................ 40 4.5 The Object Element............................................ 40 5.0 Additional Signature Syntax................................... 42 5.1 The Manifest Element.......................................... 42 5.2 The SignatureProperties Element............................... 43 5.3 Processing Instructions in Signature Elements................. 44 5.4 Comments in Signature Elements................................ 44 6.0 Algorithms.................................................... 44 6.1 Algorithm Identifiers and Implementation Requirements......... 44 6.2 Message Digests............................................... 46 6.2.1 SHA-1....................................................... 46 6.3 Message Authentication Codes.................................. 46 6.3.1 HMAC........................................................ 46 6.4 Signature Algorithms.......................................... 47 6.4.1 DSA......................................................... 47 6.4.2 PKCS1 (RSA-SHA1)............................................ 48 6.5 Canonicalization Algorithms................................... 49 6.5.1 Canonical XML............................................... 49 6.6 Transform Algorithms.......................................... 50 6.6.1 Canonicalization............................................ 50 6.6.2 Base64...................................................... 50 Eastlake, et al. Standards Track [Page 2] RFC 3275 XML-Signature Syntax and Processing March 2002 6.6.3 XPath Filtering............................................. 51 6.6.4 Enveloped Signature Transform............................... 54 6.6.5 XSLT Transform.............................................. 54 7. XML Canonicalization and Syntax Constraint Considerations...... 55 7.1 XML 1.0, Syntax Constraints, and Canonicalization............. 56 7.2 DOM/SAX Processing and Canonicalization....................... 57 7.3 Namespace Context and Portable Signatures..................... 58 8.0 Security Considerations....................................... 59 8.1 Transforms.................................................... 59 8.1.1 Only What is Signed is Secure............................... 60 8.1.2 Only What is 'Seen' Should be Signed........................ 60 8.1.3 'See' What is Signed........................................ 61 8.2 Check the Security Model...................................... 62 8.3 Algorithms, Key Lengths, Certificates, Etc.................... 62 9. Schema, DTD, Data Model, and Valid Examples.................... 63 10. Definitions................................................... 63 Appendix: Changes from RFC 3075................................... 67 References........................................................ 67 Authors' Addresses................................................ 72 Full Copyright Statement.......................................... 73 1. Introduction This document specifies XML syntax and processing rules for creating and representing digital signatures. XML Signatures can be applied to any digital content (data object), including XML. An XML Signature may be applied to the content of one or more resources. Enveloped or enveloping signatures are over data within the same XML document as the signature; detached signatures are over data external to the signature element. More specifically, this specification defines an XML signature element type and an XML signature application; conformance requirements for each are specified by way of schema definitions and prose respectively. This specification also includes other useful types that identify methods for referencing collections of resources, algorithms, and keying and management information. The XML Signature is a method of associating a key with referenced data (octets); it does not normatively specify how keys are associated with persons or institutions, nor the meaning of the data being referenced and signed. Consequently, while this specification is an important component of secure XML applications, it itself is not sufficient to address all application security/trust concerns, particularly with respect to using signed XML (or other data formats) as a basis of human-to-human communication and agreement. Such an application must specify additional key, algorithm, processing and rendering requirements. For further information, please see Security Considerations (section 8). Eastlake, et al. Standards Track [Page 3] RFC 3275 XML-Signature Syntax and Processing March 2002 1.1 Editorial and Conformance Conventions For readability, brevity, and historic reasons this document uses the term "signature" to generally refer to digital authentication values of all types. Obviously, the term is also strictly used to refer to authentication values that are based on public keys and that provide signer authentication. When specifically discussing authentication values based on symmetric secret key codes we use the terms authenticators or authentication codes. (See Check the Security Model, section 8.3.) This specification provides an XML Schema [XML-schema] and DTD [XML]. The schema definition is normative. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in RFC2119 [KEYWORDS]: "they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (e.g., limiting retransmissions)" Consequently, we use these capitalized key words to unambiguously specify requirements over protocol and application features and behavior that affect the interoperability and security of implementations. These key words are not used (capitalized) to describe XML grammar; schema definitions unambiguously describe such requirements and we wish to reserve the prominence of these terms for the natural language descriptions of protocols and features. For instance, an XML attribute might be described as being "optional." Compliance with the Namespaces in XML specification [XML-ns] is described as "REQUIRED." 1.2 Design Philosophy The design philosophy and requirements of this specification are addressed in the XML-Signature Requirements document [XML-Signature- RD]. 1.3 Versions, Namespaces and Identifiers No provision is made for an explicit version number in this syntax. If a future version is needed, it will use a different namespace. The XML namespace [XML-ns] URI that MUST be used by implementations of this (dated) specification is: xmlns="http://www.w3.org/2000/09/xmldsig#" Eastlake, et al. Standards Track [Page 4] RFC 3275 XML-Signature Syntax and Processing March 2002 This namespace is also used as the prefix for algorithm identifiers used by this specification. While applications MUST support XML and XML namespaces, the use of internal entities [XML] or our "dsig" XML namespace prefix and defaulting/scoping conventions are OPTIONAL; we use these facilities to provide compact and readable examples. This specification uses Uniform Resource Identifiers [URI] to identify resources, algorithms, and semantics. The URI in the namespace declaration above is also used as a prefix for URIs under the control of this specification. For resources not under the control of this specification, we use the designated Uniform Resource Names [URN] or Uniform Resource Locators [URL] defined by its normative external specification. If an external specification has not allocated itself a Uniform Resource Identifier we allocate an identifier under our own namespace. For instance: SignatureProperties is identified and defined by this specification's namespace: http://www.w3.org/2000/09/xmldsig#SignatureProperties XSLT is identified and defined by an external URI http://www.w3.org/TR/1999/REC-xslt-19991116 SHA1 is identified via this specification's namespace and defined via a normative reference http://www.w3.org/2000/09/xmldsig#sha1 FIPS PUB 180-1. Secure Hash Standard. U.S. Department of Commerce/National Institute of Standards and Technology. Finally, in order to provide for terse namespace declarations we sometimes use XML internal entities [XML] within URIs. For instance: ]> ... Eastlake, et al. Standards Track [Page 5] RFC 3275 XML-Signature Syntax and Processing March 2002 1.4 Acknowledgements The contributions of the following Working Group members to this specification are gratefully acknowledged: * Mark Bartel, Accelio (Author) * John Boyer, PureEdge (Author) * Mariano P. Consens, University of Waterloo * John Cowan, Reuters Health * Donald Eastlake 3rd, Motorola (Chair, Author/Editor) * Barb Fox, Microsoft (Author) * Christian Geuer-Pollmann, University Siegen * Tom Gindin, IBM * Phillip Hallam-Baker, VeriSign Inc * Richard Himes, US Courts * Merlin Hughes, Baltimore * Gregor Karlinger, IAIK TU Graz * Brian LaMacchia, Microsoft (Author) * Peter Lipp, IAIK TU Graz * Joseph Reagle, W3C (Chair, Author/Editor) * Ed Simon, XMLsec (Author) * David Solo, Citigroup (Author/Editor) * Petteri Stenius, DONE Information, Ltd * Raghavan Srinivas, Sun * Kent Tamura, IBM * Winchel Todd Vincent III, GSU * Carl Wallace, Corsec Security, Inc. * Greg Whitehead, Signio Inc. As are the Last Call comments from the following: * Dan Connolly, W3C * Paul Biron, Kaiser Permanente, on behalf of the XML Schema WG. * Martin J. Duerst, W3C; and Masahiro Sekiguchi, Fujitsu; on behalf of the Internationalization WG/IG. * Jonathan Marsh, Microsoft, on behalf of the Extensible Stylesheet Language WG. 1.5 W3C Status The World Wide Web Consortium Recommendation corresponding to this RFC is at: http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/ Eastlake, et al. Standards Track [Page 6] RFC 3275 XML-Signature Syntax and Processing March 2002 2. Signature Overview and Examples This section provides an overview and examples of XML digital signature syntax. The specific processing is given in Processing Rules (section 3). The formal syntax is found in Core Signature Syntax (section 4) and Additional Signature Syntax (section 5). In this section, an informal representation and examples are used to describe the structure of the XML signature syntax. This representation and examples may omit attributes, details and potential features that are fully explained later. XML Signatures are applied to arbitrary digital content (data objects) via an indirection. Data objects are digested, the resulting value is placed in an element (with other information) and that element is then digested and cryptographically signed. XML digital signatures are represented by the Signature element which has the following structure (where "?" denotes zero or one occurrence; "+" denotes one or more occurrences; and "*" denotes zero or more occurrences): ( ( )? )+ ( )? (
RetroSearch is an open source project built by @garambo
| Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4