| CARVIEW |
Select Language
HTTP/2 200
date: Wed, 08 Oct 2025 19:12:50 GMT
content-type: text/html; charset=iso-8859-1
content-encoding: gzip
last-modified: Thu, 06 Apr 2000 18:52:48 GMT
cache-control: max-age=21600
expires: Thu, 09 Oct 2025 01:12:50 GMT
vary: Accept-Encoding
x-backend: www-mirrors
x-request-id: 98b7f3ba1a08cb77
strict-transport-security: max-age=15552000; includeSubdomains; preload
content-security-policy: frame-ancestors 'self' https://cms.w3.org/ https://cms-dev.w3.org/; upgrade-insecure-requests
cf-cache-status: BYPASS
set-cookie: __cf_bm=1.uZ1YLmjDFlPEQKKHQEp0vmQOz98Qj_zMNika_8qX0-1759950770-1.0.1.1-SBjBbF3IGRHNvdRg_E3u8N0gBe1pBZlNc4ZsuBBvMD9mYoVZ3RmeCq5KhvqUc1PAtPmL1EDaFcCd9ke8v8NS2IniHwcAW93TD0Og_JnBQSE; path=/; expires=Wed, 08-Oct-25 19:42:50 GMT; domain=.w3.org; HttpOnly; Secure; SameSite=None
server: cloudflare
cf-ray: 98b7f3ba1a08cb77-BLR
alt-svc: h3=":443"; ma=86400
IETF/W3C XML-DSig Working Group
Joseph Reagle <reagle@w3.org>
XML-Signature Interoperability [ascii]
- Editors(s):
- Ed Simon <ed.simon@entrust.com>
- Joseph Reagle Jr. <reagle@w3.org>
This document describes the interoperability requirements over a features, operations, and requirements specified by the XML Signature Processing and Syntax specification as required by the charter and defined by IETF RFC2026:
4.1.2 Draft Standard A specification from which at least two independent and interoperable implementations from different code bases have been developed, and for which sufficient successful operational experience has been obtained, may be elevated to the "Draft Standard" level. For the purposes of this section, "interoperable" means to be functionally equivalent or interchangeable components of the system or process in which they are used.
Tests to satisfy this requirement should operate over the following (tenative) list of (mostly) MANDATORY operations (as based on the last call draft (20000228)) requirements and features:
| Feature | Key Word | Implementation |
Operation: Reference elements
generation/validation |
MUST | |
| Feature: Detached Signature | MUST | |
| Feature: Enveloped Signature | MUST | |
|
MUST | |
| Feature: Enveloping Signature | MUST | |
|
MUST | |
Operation: SignatureValue
generation/validation |
MUST | |
| Requirement: Signing parts of a document | MUST | |
|
MUST SHOULD |
|
| Feature: Minimal C14N | MUST | |
| Feature: Canonical XML | SHOULD | |
| Feature: KeyValue | MUST |
As well as the following external algorithms:
| Algorithm Type | Algorithm | Key Word | Implementation |
| Digest | SHA1 | REQUIRED | |
| Encoding | Base64 | REQUIRED | |
| Encoding | QuotedPrintable | RECOMMENDED | |
| MAC | HMAC-SHA1 | REQUIRED | |
| Signature | DSAwithSHA1 (DSS) |
REQUIRED | |
| Signature | RSAwithSHA1 | RECOMMENDED |
Strategy
There are three deliverables involved in getting this rolling:
- Test Vectors/Cases
- scenarious FAQ as a very broad first step, but very far from complete or exhaustive (or the proper methodology)
- Testing interface
a web/email interface that can run on top of an implemenation (e.g., Simon's example interface)
- Implementations
- propietary implementations with an open testing interface (be it exchanging examples in email, or someting like an auto-web/email responder).
- open code
Short Term
- Identify two implementors and ask them to commit to implementing the spec and doing
interoperability testing until full interoperability is achieved.
- Regularly email each others' Toolkits to each other on a regular basis.
- Provide a Web email interface so the toolkits need not be revealed by tests can be run with different examples..
Long Term
- If someone is going to provide a interface for pairwise testing, they might as well open up access to the public and commit to tracking the space to make it a 'semi-normative' implementation.
Example Interface
// Format the test case
String strXmlSignatureTestCase =
"<XmlSignatureTestCase>" +
"<Sender>" +
"<Name>Acme Signatures Inc.</Name>" +
"<XmlSignatureAutoresponderUri>https://www.acmesigs.com/xmlsigautoresponder</
XmlSignatureAutoresponderUri>" +
"</Sender>" +
"<Description>Signature should verify</Description>" +
"<Signature xmlns=\"https://www.w3.org/2000/02/xmldsig#\">" +
" ." +
"</Signature>" +
"<XmlSignatureTestCase>";
// Send the test case to the other org's autoresponder
URL urlAutoResponder = new URL("https://www.iotp.com/xmlsigautoresponder");
URLConnection urlconAutoResponder = u.openConnection();
urlconAutoResponder.getOutputStream().write(strXmlSignatureTestCase );
// Get the result from the other org's autoresponder
String strTestResult = urlconAutoResponder.getInputStream().read();
// Process result
process(strTestResult);
The (pseudo) code on the server side might look like this .
public class XmlSigInteroperabilityServlet extends HttpServlet {
private static String strTitle = "XML Signature InteroperabilityTester";
private static XmlSigTester xst = null;
public void init(ServletConfig sc) throws ServletException {
super.init(sc);
xst = new XmlSigTester();
if (!xst.doInit().equals("SUCCESS")) {
throw new UnavailableException(this,
"Could not initialize XmlSigTesterclass.");
}
}
public void doPost (HttpServletRequest req,
HttpServletResponse res, HttpSession httpsesn)
throws ServletException, IOException, Exception {
String strSignatureElement =req.getParameter("theXmlSignature").trim();
String strVerificationStatus = "INCOMPLETE";
try {
strVerificationStatus = xst.verifySignature(strSignatureElement);
} catch (Exception ex) {
doPageError(req, res, ex, "The verification processing failed .");
}
StringBuffer htmlOutput = new StringBuffer(
"<HTML>" +
"<HEAD>" +
"<TITLE>" + strTitle + "</TITLE>" +
"</HEAD>" +
"<BODY>" +
"<H1>" + strTitle + "</H1>" +
"<H2>Verification parameters</H2>" +
"<H3>Signature received from sender</H3>" +
"<TEXTAREA name=\"theXmlSignature\" rows=\"20\" cols=\"120\">\n" +
strSignatureElement +
"</TEXTAREA><HR>");
htmlOutput.append(
"<H2>Signature verification results</H2>" +
"<P>" +
"The verification indicates that the signature is ");
htmlOutput.append("\"" + strVerificationStatus + "\"");
htmlOutput.append(
"</P>" +
"\n</BODY>" +
"</HTML>");
PrintWriter pw = res.getWriter();
pw.println(htmlOutput);
pw.flush();
pw.close();
}
}
Joseph Reagle <reagle@w3.org>
Last revised by Reagle $Date: 2000/04/06 18:52:48 $
=======