I’ve been thinking about signing XML nodes. The existing mechanisms are either really complex (XML-DSig) or over-verbose (Magic Sig). This could be useful in RSS/ATOM feeds, XMPP, and other XML-based communication formats. The purpose of this proposal is to provide a lightweight signing (and optionally, encyption) mechanism for embedding inside XML nodes, while not inventing any new XML namespaces, elements, or attributes, not inventing a new envelope format for the signature data, and not suggesting a new way of transmitting octet streams in a text safe way.
In order to preserve the form of the XML being signed, an exact textual representation of the XML tree to be signed must be included in the signature packet (“opaque signing”). This is similar to the strategy employed by Magic Sig.
It is recommended that the fragment be encoded as a valid standalone XML document, so that parsers can easily feed the unwrapped content to an XML parser and use the tree that results, without having to graft the text back into the original XML document for parsing.
Rather than inventing a new envelope to mark up what algorithms were used to generate the signature, I suggest using the standard OpenPGP packet format from RFC4880. This standard is well-deployed for use in Email and other cryptosystems, and there are implementations, or partial implementations, in many languages, including PHP.
Inclusion in an XML node
An opaquely signed XML fragment is just an alternative representation of the node it wraps. This relationship is well modelled by the ATOM
link element (namespace http://www.w3.org/2005/Atom) with the
rel attribute set to
RFC3156 defines an Internet media type for encrypted and/or signed OpenPGP data as
application/pgp-encrypted. This makes an appropriate content for the
Text-safe encoding of octets
Protocols may wish to include the OpenPGP packet directly in the XML document, instead of linking to an external resource. In fact, this is probably the normal case. RFC2397 defines a useful mechanism for encoding arbitrary octet streams (such as those used in the OpenPGP binary packet format) as URIs for use anywhere a URI is expected, such as the
href attribute. The media type included in the data URI should be
Below is an ATOM fragment demonstrating this recommendation:
<?xml version="1.0" encoding="UTF-8"?>
<link rel="alternate" type="text/html" href="http://example.com/item1" />