IETF/W3C XML-DSig Working Group

XML-Signature Interoperability

Editors(s):: Joseph Reagle Jr. <reagle@w3.org>
Previous versions: http://ww w.w3.org/Signature/2000/10/17-xmldsig-interop.html; http://www.w3.org /Signature/2000/08/09-interop.html
http://www.w3.org /Signature/2000/05/30-interop.html; http://www.w3.org /Signature/2000/03/13-interop.html

This document describes the interoperability requirements over features, operations, and requirements specified by the XML Signature Processing and Syntax specification of the IETF/W3C XML Signature WG. The minimum exit criteria for this implementation period is the RFC2026 Draft Standard definition. This document has exceeded the purpose of showing two interoperable implementations over features and algorithms for the http://www.w3.org/2000/09/xmldsig# namespace. However, reports are still accepted.

While Canonical XML is tested below, please see the Canonical XML Interop Report for a test of each of the seven examples in the Canonical XML specification.

The following information is the best assesment of the Editors/Chairs for the dated namespace and does not necessarily represent the latest state of any given implementation over this or later specifications.

Test Vectors

The matrices below is based on the examples provided by Merlin Hughes and others. (Note, some http agents mangle the content type of these tar balls when downloaded; I know Amaya and wget work.) "Yn"(indicates a report of interoperability with other implementations for that test vector set), "N"(not implemented), ""(unkown).

Y1 (deprecated): corresponds to interoper reports over merlin-xmldsig-sixteen.tar.gz and merlin-xmldsig-fifteen.tar.gz. These sets and interop reports satisfied the requirements for document advancement but we no longer recommend testing against this set.
Y2: corresponds to interoper reports over merlin-xmldsig-twenty-three.tar.gz. New reports should be submitted against this set. It has better URIs (i.e., w3.org and example.org) and reissued certs with a longer validity.
Y3: corresponds to interop reports over phaos-xmldsig-three which corrected an earlier error: "The attached archive contains a number of test cases produced with the Phaos XML toolkit."

Features and Algorithms

The first example is of a single signature that tests the referencing and processing model, including detached, enveloped, and envoloping signature; transforms; XPointers; XSLT; and Manifests.

Application Features Key Word Baltimore Ubisecure Wedgetail Fujitsu GapXse HP IAIK Infomosaic IBM Microsoft NEC Phaos RSA Apache XMLSec DataPower

Detached Signature MUST Y1 Y2 Y1 Y1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

Enveloping Signature: same document reference with fragment (URI="#Object1") MUST Y1 Y2 Y1 Y1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

Enveloped Signature: same document reference (URI="") with Enveloped Signature Transform. MUST Y1 Y2 Y1 Y1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

SignatureValue generation/validation MUST Y1 Y2 Y1 Y1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

Manifest DigestValue generation/valdiation MAY Y1 Y2 Y1 N1 Y1 Y1 Y1 Y1 Y2 N Y1 N1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 N

Feature: laxly schema valid Signature element generation MUST Y1 Y2 Y1 Y1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

XPointers '#xpointer(/)' SHOULD Y1 Y2 Y1 Y1 N1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 N1 Y1 Y1 Y2 N

XPointers '#xpointer(id("ID"))' SHOULD Y1 Y2 Y1 Y1 N1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 N1 Y1 Y1 Y2 N

XPath SHOULD Y1 Y2 N1 N1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

the dsig XPath 'here()' function (can be used to implement enveloped signature) SHOULD Y1 Y2 N1 N1 N1 N1 Y1 Y1 Y2 Y1 Y2 Y1 N1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 N

XSLT (note, the child XSLT element of Transform has been deprecated.) MAY Y1 Y2 N1 N1 N1 N1 Y1 Y1 Y2 N1 Y1 Y1 Y1 Y2 Y1 Y2 N1 Y1 Y1 Y2 Y1 Y2

RetrievalMethod (e.g., X509Data) SHOULD Y1 Y2 N1 N1 Y1 Y1 N1 N2 Y1 Y2 Y1 N1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 N

Algorithms Key Word Baltimore Ubisecure Wedgetail Fujitus GapXse HP IAIK Infomosaic IBM Microsoft NEC Phaos RSA Apache XMLSec DataPower

Digest SHA1 MUST Y1 Y2 Y1 Y1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

Encoding Base64 MUST Y1 Y2 Y1 Y1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

MAC HMAC-SHA1 MUST Y1 Y2 Y1 Y1 Y1* Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

Signature DSAwithSHA1
(DSS) MUST Y1 Y2 Y1 Y1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

RSAwithSHA1 SHOULD Y1 Y2 Y1 Y1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

Canonicalization minimal (deprecated) n/a N N N N N N N N N N N N N N N N

Canonical XML (20010315) MUST Y1 Y2 Y1 Y1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

Canonical XML with comments SHOULD Y1 Y2 Y1 Y1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

Signature Transform Enveloped Signature MUST Y1 Y2 Y1 Y1 Y1 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2 Y1 Y1 Y1 Y2 Y1 Y2

DNAME encodings

The following example set contains test vectors for the OPTIONAL DNAME encoding.

karlinger-1 and corrections	IAIK	...	...	...	...	...
DNAME encodings	Y1

(deprecated) Types of Signatures and Algorithms

Reports no longer need be submitted against this set.

signature-enveloping-b64-dsa.xml

signature-enveloping-dsa.xml

signature-enveloping-hmac-sha1-40.xml

signature-enveloping-hmac-sha1.xml

signature-enveloping-rsa.xml

signature-external-b64-dsa.xml

signature-external-dsa.xml

Joseph Reagle <reagle@w3.org>

$Revision: 1.64 $ on $Date: 2003/07/10 19:01:56 $ by $Author: reagle $

=======