2.2.1.7 Signature Element

  • Article

The <Signature> element is specified in [XMLDSig/2008] section 4.1, [WSS1] sections 7.1 and 8 (excluding subsection 8.3), [WSS] sections 7.1 and 8 (excluding subsections 8.3 and 8.5), and [BSP] section 8.

Signatures are tied to security tokens as specified in sections 2.2.1.3.1, 2.2.1.5, and 2.2.1.6. All references to security tokens MUST be internal as specified in [BSP] section 7.6.

Each <Signature> element MUST contain exactly one of each of the following elements as child elements:

  • A <SignedInfo> element that MUST conform to section 2.2.1.7.1.

  • A <SignatureValue> element as specified in [XMLDSig/2008] section 4.2.

  • A <KeyInfo> element that MUST conform to section 2.2.1.7.2.

This document overrides the following specifications:

  • The "<element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>" element specified in [XMLDSig/2008] section 4.1 MUST NOT be used.

  • [WSS1] section 8.2, [WSS] section 8.2: "Producers SHOULD sign all important elements of the message."

The following elements are signed if the <Signature> element is a child element of the <Security> element specified in section 2.2.1:

  • The <To> element as specified in [WS-Addr-Core] section 3.2 MUST be present and signed if the signing key is asymmetric. If the signing key is symmetric, this element MUST NOT be signed.

  • The <Timestamp> element specified in section 2.2.1.2 MUST be signed. If a <Signature> element is present, the <Timestamp> element MUST be present as well.

If the <Signature> element is a child element of the <Assertion> element, as specified in section 2.2.1.6, then the <Assertion> element MUST be signed.

Other elements MUST NOT be signed.