The XML-Signature XPath Filter 2.0 specification produced by the IETF/W3C XML Signature Working Group has been released in its final publication stage as a W3C Recommendation. The Working Group "believes the specification is sufficient for the creation of independent interoperable implementations as demonstrated in the Interoperability Report. The XML Signature Recommendation (XML-Signature Syntax and Processing) defines standard means for specifying information content to be digitally signed, including the ability to select a portion of an XML document to be signed using an XPath transform. The XML-Signature XPath Filter 2.0 specification describes a new signature filter transform that, like the XPath transform, provides a method for computing a portion of a document to be signed. In the interest of simplifying the creation of efficient implementations, the architecture of this transform is not based on evaluating an XPath expression for every node of the XML parse tree, as defined by the XPath data model. Instead, a sequence of XPath expressions is used to select the roots of document subtrees -- location sets, in the language of XPointer -- which are combined using set intersection, subtraction and union, and then used to filter the input node-set."

Abstract: "XML Signature [XML-Signature Syntax and Processing] recommends a standard means for specifying information content to be digitally signed and for representing the resulting digital signatures in XML. Some applications require the ability to specify a subset of a given XML document as the information content to be signed. The XML Signature specification meets this requirement with the XPath transform. However, this transform can be difficult to implement efficiently with existing technologies. This specification [XML-Signature XPath Filter 2.0] defines a new XML Signature transform to facilitate the development of efficient document subsetting implementations that interoperate under similar performance profiles."

Bibliographic information: XML-Signature XPath Filter 2.0. W3C Recommendation 08-November-2002. Authors/Editors: John Boyer (PureEdge Solutions Inc.), Merlin Hughes (Baltimore Technologies Ltd.), and Joseph Reagle (W3C). Version URL: http://www.w3.org/TR/2002/REC-xmldsig-filter2-20021108/. Latest version URL: http://www.w3.org/TR/xmldsig-filter2/. Previous version: http://www.w3.org/TR/2002/PR-xmldsig-filter2-20020827/.

Excerpt:

Differences from the XPath transform [used in XML-Signature XPath Filter 2.0] are:

• A sequence of XPath operations can be executed in a single transform, allowing complex filters to be more easily expressed and optimized
• The XPath expressions are evaluated against the input document resulting in a set of nodes, instead of being used as a boolean test against each node of the input node-set.
• To increase efficiency, the expansion of a given node to include all nodes having the given node as an ancestor is now implicit so it can be performed by faster means than the evaluation of an XPath expression for each document node.
• The resulting node-sets can be combined using the three fundamental set operations (intersection, subtraction, and union), and then applied as a filter against the input node-set, allowing operations such as signing an entire document except for a specified subset, to be expressed more clearly and efficiently.

As with the original XPath transform, the primary purpose of this transform is to ensure that only specifically defined changes to the input XML document are permitted after the signature is affixed. This can be done by excluding precisely those nodes that are allowed to change once the signature is affixed, and including all other input nodes in the output. It is the responsibility of the signature filter transform author to ensure that nodes are not excluded which could affect the interpretation of the transform output in the application context.