The IETF/W3C XML Signature Working Group has released an initial public working draft for XML-Signature XPath Filter 2.0. The specification "defines a means to digitally sign a document subset using XPath" in support of the W3C XML Signature Recommendation. The goal is to: "(1) more easily specify XPath transforms, and (2) more efficiently process those transforms... [the document] describes a new signature filter transform that, like the XPath transform, provides a method for computing a portion of a document to be signed. In the interest of simplifying the creation of efficient implementations, the architecture of this transform is not based on evaluating an XPath expression for every node of the XML parse tree (as defined by the XPath data model). Instead, the XPath expression in this transform is used to identify a set of nodes that, along with all nodes having an ancestor in the identified set, is used to transform the input node set by set intersection, subtraction, or union." Since the specification has already received a large amount of discussion and implementation within the Working Group, the WG members hope to move the specification "to and through Last Call and then Candidate Recommendation very quickly."
Bibliographic information: XML-Signature XPath Filter 2.0. W3C Working Draft 25-April-2002. Authors/Editors: John Boyer (PureEdge Solutions Inc.), Merlin Hughes (Baltimore Technologies Ltd.), and Joseph Reagle W3C). Version URL: http://www.w3.org/TR/2002/WD-xmldsig-filter2-20020425/. Latest version URL: http://www.w3.org/TR/xmldsig-filter2/.
From the Abstract: "XML Signature recommends a standard means for specifying information content to be digitally signed and for representing the resulting digital signatures in XML. Some applications require the ability to specify a subset of a given XML document as the information content to be signed. The XML Signature specification meets this requirement with the XPath transform. However, this transform can be difficult to implement efficiently with existing technologies. This specification defines a new XML Signature transform to facilitate the development of efficient document subsetting technologies that interoperate under similar performance profiles."
From the document Introduction: "The principal differences from the XPath transform are: (1) The XPath expression is evaluated against the input document resulting in a set of nodes, instead of being used as a boolean test against each node of the input node set. (2) To increase efficiency, the expansion of a given node to include all nodes having the given node as an ancestor is now implicit so it can be performed by faster means than the evaluation of an XPath expression for each document node. (3) The three fundamental set operations (intersection, subtraction, and union) are explicitly supported, allowing operations such as signing an entire document except for a specified subset, to be expressed more clearly and efficiently. As with the original XPath transform, the primary purpose of this transform is to ensure that only specifically defined changes to the input XML document are permitted after the signature is affixed. This can be done by excluding precisely those nodes that are allowed to change once the signature is affixed, and including all other input nodes in the output. It is the responsibility of the signature filter transform author to ensure that nodes are not excluded which could affect the interpretation of the transform output in the application context..."
- XML-Signature XPath Filter 2.0. W3C Working Draft 25-April-2002.
- W3C XML Digital Signatures Activity Statement
- Mailing list archives for 'w3c-ietf-xmldsig'
- XML-Signature Syntax and Processing. W3C Recommendation 12-February-2002.
- "XML Digital Signature (Signed XML - IETF/W3C)" - Main reference page.