XMLDSIG Interoperability Report
MEMO Donald Eastlake 3rd Motorola July 2001
XMLDSIG Interoperability Report
------- ---------------- ------
Table of Contents
Table of Contents..........................................1
1. Introduction............................................2
2. Orgnaizations Interoperating:...........................2
3. Interoperability Results................................3
3.1 Canonicalization.......................................3
3.2 Digest/Signature/MAC Algorithms........................3
3.3 Features Related to Location of Signed Data............4
3.4 Keying Information.....................................4
3.5 Transforms.............................................4
3.6 Manifest Element.......................................4
3.7 Miscellaneous..........................................5
Summary....................................................6
Author's Address...........................................6
D. Eastlake 3rd [Page 1]
MEMO XMLDSIG Interoperability Report July 2001
1. Introduction
XML Digital Signature (XMLDSIG) is a Proposed Standard as specified
in [RFC 3075] produced by the joint IETF/W3C XMLDSIG working group.
In addition, Canonical XML, which is normatively referenced by
XMLDSIG, has been standardized by the W3C and is documented in
Informational [RFC 3076].
It is the consensus of the working group that the XMLDSIG standard
should be advanced to the IETF Draft Standard level. This memo
supports that advancement by documenting interoperability of the
XMLDSIG features and options except for Minimal Canonicalization
which is to be dropped. The internet-draft to be advanced is draft-
ietf-xmldsig-core2-00.txt (soon to be -01). It also has numerous
clarifications and improvements in documentation over the current
RFC.
2. Orgnaizations Interoperating:
The following organizations, in alphabetic order, have independently
produced interoperable implementations of XMLDSIG:
Baltimore:
Baltimore Technologies <http: www.baltimore.com="">
see <http: www.baltimore.com="" keytools="" xml="" index.html="">
Done:
Done Information, Inc. <http: www.doneinformation.com="">
Phone: +358 9-5259 240
see <http: www.doneinformation.com="" web="" map="" donesignature.html="">
DSTC:
Distributed Systems Technology Centre <http: www.dstc.edu.au="">
see <http: security.dstc.com="" products="" xmldsig="">
Fujitsu:
Fujitsu <http: www.fujitsu.com="">
IAIK:
Institute for Applied Information Processing and Communications
<http: www.iaik.at=""> at Technical University of Graz, Austria.
Phone: (+43) (316) 873-5540
see <http: jcewww.iaik.at="" products="" ixsil="" index.htm="">
IBM:
IBM <http: www.ibm.com="">
see <http: www.alphaworks.ibm.com="" tech="" xmlsecuritysuite="">
D. Eastlake 3rd [Page 2]
MEMO XMLDSIG Interoperability Report July 2001
Microsoft:
Microsoft <http: www.microsoft.com="">
NEC:
NEC <http: www.nec.com="">
RSA:
RSA Security Inc. <http:www.rsa.com>
3. Interoperability Results
This section is primarily a restatement in text form of the
interoperability matrix at
<http: www.w3.org="" signature="" 2001="" 04="" 05-xmldsig-interop.html="">.
Note that this represents just a snapshot of the status of these
implementations and they may have advanced significantly.
3.1 Canonicalization
Interoperable for the W3C standard Canonical XML (required) and
Canonical XML with Comments (recommended) show for all
implementations by producing identical results from various inputs.
(See also earlier canoncialization testing results at
<http: www.w3.org="" signature="" 2000="" 10="" 10-c14n-interop.html=""> using the
examples from the Canonical XML specification showing
interoperability between at least Baltimore and IBM for all features
and options.)
Support for Minimal Canonicalization (recommended in the Proposed
Standard) had been shown by NONE of the organizationad and will be
DROPPED.
3.2 Digest/Signature/MAC Algorithms
Interoperable support of the generation and validation of digests and
signature/MAC values using SHA1 (required), DSAwithSHA1 (DSS,
required), RSAwithSHA1 (recommended), and HMAC-SHA1 (required) shown
by all implementations based on a variety of test cases.
D. Eastlake 3rd [Page 3]
MEMO XMLDSIG Interoperability Report July 2001
3.3 Features Related to Location of Signed Data
Interoperability tests included detached, enveloping, and enveloped
signatures. This includes same document references (URI="") with the
enveloped signature transform and same document references with
fragment (URI="#object1"). Also tested were same document and
fragment XPointer ( #xpointer(/) and #xpointer(id("ID")) ). These
are required features except for XPointer, which is recommended, and
all implementations supported them except that the Fujitsu and RSA
implementations did not support XPointer.
3.4 Keying Information
The required KeyValue element was interoperably supported by all
implementations. The recommended RetrievalMethod element was
interoperably supported by Baltimore, IBM, NEC, and RSA.
3.5 Transforms
Interoperable support of the three Transform algorithms and the
recommended extension to one algorithm, as specified in the standard,
are as follows:
XSLT (optional):
Baltimore, IBM, Microsoft, NEC
XPath (recommended):
Baltimore, Fujitsu, IAIK, IBM, Microsoft, NEC, RSA
here() function (an addition to XPath) (recommended):
Baltimore, IAIK, IBM, NEC, RSA
Enveloped Signature Transform (required):
All organizations (see also 3.3 above).
3.6 Manifest Element
Baltimore, Done, Fujitsu, IAIK, IBM, NEC, and RSA interoperably
support digest generation and validation for this optional element.
D. Eastlake 3rd [Page 4]
M EMO XMLDSIG Interoperability Report July 2001
3.7 Miscellaneous
All implementations interoperably supported base64 encoding.
All implementations interoperably supported laxly schema valid
Signature element generation.
D. Eastlake 3rd [Page 5]
MEMO XMLDSIG Interoperability Report July 2001
Summary
All defined features and options are supported by multiple
independent interoperable implementation except for Minimal
Canonicalization which has been dropped from the internet-draft which
is the candidate for Draft Standard.
Author's Address
Donald E. Eastlake 3rd
Motorola
155 Beaver Street
Milford, MA 01757 USA
Telephone: +1-508-634-2066 (h)
+1-508-261-5434 (w)
FAX: +1-508-261-4447 (w)
EMail: Donald.Eastlake@motorola.com
D. Eastlake 3rd [Page 6]