Digital Signatures

Format designers might allow a package to include digital signatures to enable consumers to validate the integrity of the contents. The producer might include the digital signature when allowed by the format designer. [O6.1] Consumers can identify the parts of a package that have been signed and the process for validating the signatures. Digital signatures do not protect data from being changed. However, consumers can detect whether signed data has been altered and notify the end-user, restrict the display of altered content, or take other actions.

Producers incorporate digital signatures using a specified configuration of parts and relationships. This clause describes how the package digital signature framework applies the W3C Recommendation “XML-Signature Syntax and Processing” (referred to here as the “XML Digital Signature specification”). In addition to complying with the XML Digital Signature specification, producers and consumers also apply the modifications specified in §