Modifications to the XML Digital Signature Specification

The package modifications to the XML Digital Signature specification are summarized as follows:

  1. The producer shall create< Reference> elements within a <SignedInfo> element that reference elements within the same <Signature> element. The consumer shall consider <Reference> elements within a <SignedInfo> element that reference any resources outside the same <Signature> element to be in error. [M6.5] The producer should only create Reference elements within a SignedInfo element that reference an <Object> element. [S6.5] The producer shall not create a reference to a package‑specific <Object> element that contains a transform other than a canonicalization transform. The consumer shall consider a reference to a package‑specific <Object> element that contains a transform other than a canonical transform to be an error. [M6.6]

  2. The producer shall create one and only one package-specific <Object> element in the <Signature> element. The consumer shall consider zero or more than one package-specific <Object> element in the <Signature> element to be an error. [M6.7]

The producer shall create package-specific <Object> elements that contain exactly one <Manifest> element and exactly one< SignatureProperties >element.
Note: This <SignatureProperties> element can contain multiple <SignatureProperty> elements.
The consumer shall consider package-specific <Object> elements that contain other types of elements to be an error. [M6.8]
Note: A signature may contain other <Object> elements that are not package-specific.

  1. The producer shall create< Reference> elements within a <Manifest> element that reference with their @URI attribute only parts within the package. The consumer shall consider <Reference> elements within a <Manifest> element that reference resources outside the package to be an error. [M6.9] The producer shall create relative references to the local parts that have query components that specifies the part content type as described in §12.2.4.6. The relative reference excluding the query component shall conform to the part name grammar. The consumer shall consider a relative reference to a local part that has a query component that incorrectly specifies the part content type to be an error. [M6.10] The producer shall create <Reference> elements with a query component that specifies the content type that matches the content type of the referenced part. The consumer shall consider signature validation to fail if the part content type compared in a case-sensitive manner to the content type specified in the query component of the part reference does not match. [M6.11]

  2. The producer shall not create< Reference> elements within a <Manifest> element that contain transforms other than the canonicalization transform and relationships transform. The consumer shall consider< Reference> elements within a <Manifest> element that contain transforms other than the canonicalization transform and relationships transform to be in error. [M6.12]

  3. A producer that uses an optional relationships transform shall follow it by a canonicalization transform. The consumer shall consider any relationships transform that is not followed by a canonicalization transform to be an error. [M6.13]

  4. The producer shall create exactly one <SignatureProperty> element with the @Id attribute value set to idSignatureTime. The @Target attribute value of this element shall be either empty or contain a fragment reference to the value of the @Id attribute of the root <Signature> element. A <SignatureProperty> element shall contain exactly one <SignatureTime> child element. The consumer shall consider a <SignatureProperty> element that does not contain a <SignatureTime> element or whose @Target attribute value is not empty or does not contain a fragment reference the @Id attribute of the ancestor <Signature> element to be in error. [M6.14].

Note: