Readablewiki

XML Signature

Content sourced from Wikipedia, licensed under CC BY-SA 3.0.

XML Signature is a standard for adding digital signatures to XML data. Also called XMLDSig, it defines how to sign XML documents (and any data reachable at a URL). It is similar to PKCS #7 but designed specifically for XML and is more flexible. It is used in web technologies such as SOAP and SAML.

Key ideas
- Signatures can take different forms:
- Detached: signs a resource outside the XML document.
- Enveloped: the signature sits inside the document and covers part of it.
- Enveloping: the signed data sits inside the signature itself.
- The signature is carried in a Signature element in the http://www.w3.org/2000/09/xmldsig# namespace.

Core validation
- Core Validation checks that the data was really signed by the claimed signer.
- Because XML can be stored or transmitted in many ways, the signing process uses canonicalization to produce a standard form before signing. This ensures semantically identical XML yields the same signature, even if whitespace, line endings, or attribute order change.
- When a signed document is embedded in another document, exclusive canonicalization handles namespace declarations so the result stays consistent.
- Validation must also guard against issues like signature wrapping, so selecting the signed data with absolute paths (not just by name) is important.

Why the complexity
- A single XML document can have multiple valid serialized forms. Small changes in how the XML is written can affect the signature, so canonicalization and careful processing are essential.
- XML signatures can bind to specific parts of a document and apply transformations to the data before signing, offering flexibility beyond signing raw binary data.

Trade-offs and concerns
- Canonicalization can add latency, which matters for performance-sensitive applications.
- If not implemented correctly, XML signatures can introduce vulnerabilities, such as signature wrapping. Proper policy and robust processing are important.
- The XML Security Working Group works on addressing these issues to improve reliability and security.

In short, XML Signature provides a flexible, standards-based way to ensure the integrity and authenticity of XML data in technologies like SOAP and SAML.

This page was last edited on 3 February 2026, at 02:33 (CET).