idnits 2.17.1 

draft-eastlake-rfc6931bis-xmlsec-uris-27.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (March 11, 2022) is 770 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Looks like a reference, but probably isn't: '1600' on line 342

  -- Possible downref: Non-RFC (?) normative reference: ref. '10118-3'

  -- Possible downref: Non-RFC (?) normative reference: ref. '18033-2'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS180-4'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS186-4'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS202'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEEP1363a'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'NIST800-208'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'RC4'

  ** Downref: Normative reference to an Informational RFC: RFC 1321

  ** Downref: Normative reference to an Informational RFC: RFC 2104

  ** Downref: Normative reference to an Informational RFC: RFC 2315

  ** Downref: Normative reference to an Informational RFC: RFC 3394

  ** Downref: Normative reference to an Informational RFC: RFC 3713

  ** Downref: Normative reference to an Informational RFC: RFC 4050

  ** Downref: Normative reference to an Informational RFC: RFC 4269

  ** Downref: Normative reference to an Informational RFC: RFC 5869

  ** Downref: Normative reference to an Informational RFC: RFC 6234

  ** Downref: Normative reference to an Informational RFC: RFC 7748

  ** Downref: Normative reference to an Informational RFC: RFC 8017

  ** Downref: Normative reference to an Informational RFC: RFC 8032

  ** Downref: Normative reference to an Informational RFC: RFC 8391

  ** Downref: Normative reference to an Informational RFC: RFC 8439

  -- Possible downref: Non-RFC (?) normative reference: ref. 'SipHash1'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLENC10'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLENC11'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'XPointer'

  -- Obsolete informational reference (is this intentional?): RFC 6931 (ref.
     'Err3597') (Obsoleted by RFC 9231)

  -- Duplicate reference: RFC6931, mentioned in 'Err3965', was also mentioned
     in 'Err3597'.

  -- Obsolete informational reference (is this intentional?): RFC 6931 (ref.
     'Err3965') (Obsoleted by RFC 9231)

  -- Duplicate reference: RFC6931, mentioned in 'Err4004', was also mentioned
     in 'Err3965'.

  -- Obsolete informational reference (is this intentional?): RFC 6931 (ref.
     'Err4004') (Obsoleted by RFC 9231)

  -- Obsolete informational reference (is this intentional?): RFC 3075
     (Obsoleted by RFC 3275)

  -- Duplicate reference: RFC6931, mentioned in 'RFC6931', was also mentioned
     in 'Err4004'.

  -- Obsolete informational reference (is this intentional?): RFC 6931
     (Obsoleted by RFC 9231)


     Summary: 14 errors (**), 0 flaws (~~), 1 warning (==), 23 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	INTERNET-DRAFT                                               D. Eastlake
2	Obsoletes: 6931                                   Futurewei Technologies
3	Intended Status: Proposed Standard
4	Expires: September 10, 2022                               March 11, 2022

6	      Additional XML Security Uniform Resource Identifiers (URIs)
7	             <draft-eastlake-rfc6931bis-xmlsec-uris-27.txt>

9	Abstract

11	   This document updates and corrects the IANA "XML Security URIs"
12	   registry that lists URIs intended for use with XML digital
13	   signatures, encryption, canonicalization, and key management.  These
14	   URIs identify algorithms and types of information.  This document
15	   also updates, corrects three errata against, and obsoletes RFC 6931.

17	Status of This Memo
18	   This Internet-Draft is submitted in full conformance with the
19	   provisions of BCP 78 and BCP 79.

21	   Distribution of this document is unlimited. Comments should be sent
22	   to the author.

24	   Internet-Drafts are working documents of the Internet Engineering
25	   Task Force (IETF), its areas, and its working groups.  Note that
26	   other groups may also distribute working documents as Internet-
27	   Drafts.

29	   Internet-Drafts are draft documents valid for a maximum of six months
30	   and may be updated, replaced, or obsoleted by other documents at any
31	   time.  It is inappropriate to use Internet-Drafts as reference
32	   material or to cite them other than as "work in progress."

34	   The list of current Internet-Drafts can be accessed at
35	   https://www.ietf.org/1id-abstracts.html. The list of Internet-Draft
36	   Shadow Directories can be accessed at
37	   https://www.ietf.org/shadow.html.

39	Table of Contents

41	      1. Introduction............................................4
42	       1.1 Terminology...........................................5
43	       1.2 Acronyms..............................................5

45	      2. Algorithms..............................................7
46	       2.1 DigestMethod (Hash) Algorithms........................7
47	       2.1.1 MD5.................................................8
48	       2.1.2 SHA-224.............................................8
49	       2.1.3 SHA-384.............................................8
50	       2.1.4 Whirlpool...........................................9
51	       2.1.5 SHA3 Algorithms.....................................9
52	       2.2 SignatureMethod MAC Algorithms........................9
53	       2.2.1 HMAC-MD5...........................................10
54	       2.2.2 HMAC SHA Variations................................10
55	       2.2.3 HMAC-RIPEMD160.....................................11
56	       2.2.4 Poly1305...........................................11
57	       2.2.5 SipHash-2-4........................................11
58	       2.2.6 XMSS and XMSSMT....................................12
59	       2.3 SignatureMethod Public Key Signature Algorithms......14
60	       2.3.1 RSA-MD5............................................14
61	       2.3.2 RSA-SHA256.........................................15
62	       2.3.3 RSA-SHA384.........................................16
63	       2.3.4 RSA-SHA512.........................................16
64	       2.3.5 RSA-RIPEMD160......................................16
65	       2.3.6 ECDSA-SHA*, ECDSA-RIPEMD160, ECDSA-Whirlpool.......17
66	       2.3.7 ESIGN-SHA*.........................................17
67	       2.3.8 RSA-Whirlpool......................................18
68	       2.3.9 RSASSA-PSS with Parameters.........................18
69	       2.3.10 RSASSA-PSS without Parameters.....................20
70	       2.3.11 RSA-SHA224........................................20
71	       2.3.12 Edwards-Curve.....................................21
72	       2.4 Minimal Canonicalization.............................22
73	       2.5 Transform Algorithms.................................22
74	       2.5.1 XPointer...........................................22
75	       2.6 EncryptionMethod Algorithms..........................23
76	       2.6.1 ARCFOUR Encryption Algorithm.......................23
77	       2.6.2 Camellia Block Encryption..........................23
78	       2.6.3 Camellia Key Wrap..................................24
79	       2.6.4 PSEC-KEM, RSAES-KEM, and ECIES-KEM.................24
80	       2.6.5 SEED Block Encryption..............................25
81	       2.6.6 SEED Key Wrap......................................25
82	       2.6.7 ChaCha20...........................................26
83	       2.6.8 ChaCha20+Poly1305..................................26
84	       2.7 Key AgreementMethod Algorithms.......................27
85	       2.7.1 X25519 and X448 Key Agreement......................27
86	       2.7.2 HKDF Key Derivation................................27

88	Table of Contents (continued)

90	      3. KeyInfo................................................29
91	       3.1 PKCS #7 Bag of Certificates and CRLs.................29
92	       3.2 Additional RetrievalMethod Type Values...............29

94	      4. Indexes................................................30
95	       4.1 Index by Fragment Index..............................30
96	       4.2 Index by URI.........................................37

98	      5. Allocation Considerations..............................43
99	       5.1 W3C Allocation Considerations........................43
100	       5.2 IANA Considerations..................................43

102	      6. Security Considerations................................45

104	      Acknowledgements..........................................46

106	      Appendix A: Changes from [RFC6931]........................47
107	      Appendix B: Bad URIs......................................48

109	      Appendix Z: Change History................................49

111	      Normative References......................................51
112	      Informational References..................................55

114	      Author's Address..........................................59

116	1. Introduction

118	   XML digital signatures, canonicalization, and encryption were
119	   standardized by the W3C and by the joint IETF/W3C XMLDSIG working
120	   group [W3C] [XMLSEC].  These are now W3C Recommendations and some are
121	   also RFCs.  They are available as follows:

123	      RFC
124	      Status            W3C REC      Topic
125	      -----------       -------      -----

127	      [RFC3275]         [XMLDSIG10]  XML Digital Signatures
128	      Draft Standard

130	      [RFC3076]         [CANON10]    Canonical XML
131	      Informational

133	      - - - - - -       [XMLENC10]   XML Encryption 1.0

135	      [RFC3741]         [XCANON]     Exclusive XML Canonicalization 1.0
136	      Informational

138	   These documents and recommendations use URIs [RFC3986] to identify
139	   algorithms and keying information types.  The W3C has subsequently
140	   produced updated XML Signature 1.1 [XMLDSIG11], Canonical XML 1.1
141	   [CANON11], and XML Encryption 1.1 [XMLENC11] versions, as well as a
142	   new XML Signature Properties specification [XMLDSIG-PROP].

144	   In addition, the XML Encryption recommendation has been augmented by
145	   [GENERIC] which defines algorithms, XML types, and elements necessary
146	   to use generic hybrid ciphers in XML Security applications. [GENERIC]
147	   also provides for a key encapsulation algorithm and a data
148	   encapsulation algorithm, with the combination of the two forming the
149	   generic hybrid cipher.

151	   All camel-case element names (names with both interior upper and
152	   lower case letters) herein, such as DigestValue, are from these
153	   documents.

155	   This document is an updated convenient reference list of URIs and
156	   corresponding algorithms in which there is expressed interest.  This
157	   document fixes Errata [Err3597], [Err3965], [Err4004] against and
158	   obsoletes [RFC6931].

160	   All of the URIs for algorithms and data types herein are listed in
161	   the indexes in Section 4.  Of these URIs, those that were added by
162	   earlier RFCs or by this document have a subsection in Section 2 or 3.
163	   A few URIs defined elsewhere also have a subsection in Section 2 or 3
164	   but most such URIs do not. For example, use of SHA-256 as defined in
165	   [XMLENC11] has no subsection here but is included in the indexes in
166	   Section 4.

168	   Specification in this document of the URI representing an algorithm
169	   does not imply endorsement of the algorithm for any particular
170	   purpose.  A protocol specification, which this is not, generally
171	   gives algorithm and implementation requirements for the protocol.
172	   Security considerations for algorithms are constantly evolving, as
173	   documented elsewhere.  This specification simply provides some URIs
174	   and relevant formatting when those URIs are used.

176	   This document is not intended to change the algorithm implementation
177	   requirements of any IETF or W3C document. Use of [RFC2119]/[RFC8174]
178	   terminology is intended to be only such as is already stated or
179	   implied by other authoritative documents.

181	   Progressing XML Digital Signature [RFC3275] along the Standards Track
182	   required removal of any algorithms from the original version
183	   [RFC3075] for which there was not demonstrated interoperability.
184	   This required removal of the Minimal Canonicalization algorithm, in
185	   which there was continued interest.  The URI for Minimal
186	   Canonicalization was included in [RFC6931] and is included here.

188	1.1 Terminology

190	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
191	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
192	   "OPTIONAL" in this document are to be interpreted as described in BCP
193	   14 [RFC2119] [RFC8174] when, and only when, they appear in all
194	   capitals, as shown here.

196	   "camel-case" refers to terms that are mostly lower case but have
197	   internal capital letters.

199	1.2 Acronyms

201	   The following acronyms are used in this document:

203	      AAD - Additional Authenticated Data

205	      AEAD - Authenticated Encryption with Additional Data

207	      HMAC - Hashed Message Authentication Code [RFC2104] [RFC5869]

209	      IETF - Internet Engineering Task Force <https://www.ietf.org>

211	      MAC - Message Authentication Code
212	      MD - Message Digest

214	      NIST - United States National Institute of Standards and
215	            Technology <https://www.nist.gov>

217	      RSA - Rivest, Shamir, and Adleman

219	      SHA - Secure Hash Algorithm

221	      URI - Uniform Resource Identifier [RFC3986]

223	      W3C - World Wide Web Consortium <https://www.w3.org>

225	      XML - eXtensible Markup Language

227	2. Algorithms

229	   The URI [RFC3986] that was dropped from the XML Digital Signature
230	   standard due to the transition from Proposed Standard to Draft
231	   Standard [RFC3275] is included in Section 2.4 below with its original

233	        http://www.w3.org/2000/09/xmldsig#

235	   prefix so as to avoid changing the XMLDSIG standard's namespace.

237	   Additional algorithms in RFC 4051 were given URIs that start with

239	        http://www.w3.org/2001/04/xmldsig-more#

241	   further algorithms added in [RFC6931] were given URIs that start with

243	        http://www.w3.org/2007/05/xmldsig-more#

245	   and algorithms added in this document are given URIs that start with

247	        http://www.w3.org/2021/04/xmldsig-more#

249	   In addition, for ease of reference, this document includes in the
250	   indexes in Section 4 many cryptographic algorithm URIs from XML
251	   security documents using the namespaces with which they are defined
252	   in those documents as follows:

254	        http://www.w3.org/2000/09/xmldsig#

256	   for some URIs specified in [RFC3275],

258	        http://www.w3.org/2001/04/xmlenc#

260	   for some URIs specified in [XMLENC10], and

262	        http://www.w3/org/xmlsec-ghc#

264	   for some URIs specified in [GENERIC].

266	   See also [XMLSECXREF].

268	2.1 DigestMethod (Hash) Algorithms

270	   These algorithms are usable wherever a DigestMethod element occurs.

272	2.1.1 MD5

274	   Identifier:
275	        http://www.w3.org/2001/04/xmldsig-more#md5

277	   The MD5 algorithm [RFC1321] takes no explicit parameters. An example
278	   of an MD5 DigestAlgorithm element is:

280	   <DigestAlgorithm
281	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/>

283	   An MD5 digest is a 128-bit string. The content of the DigestValue
284	   element SHALL be the base64 [RFC4648] encoding of this bit string
285	   viewed as a 16-octet stream. See [RFC6151] for MD5 security
286	   considerations.

288	2.1.2 SHA-224

290	   Identifier:
291	        http://www.w3.org/2001/04/xmldsig-more#sha224

293	   The SHA-224 algorithm [FIPS180-4] [RFC6234] takes no explicit
294	   parameters.  An example of a SHA-224 DigestAlgorithm element is:

296	   <DigestAlgorithm
297	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224" />

299	   A SHA-224 digest is a 224-bit string. The content of the DigestValue
300	   element SHALL be the base64 [RFC4648] encoding of this string viewed
301	   as a 28-octet stream.

303	2.1.3 SHA-384

305	   Identifier:
306	        http://www.w3.org/2001/04/xmldsig-more#sha384

308	   The SHA-384 algorithm [FIPS180-4] takes no explicit parameters.  An
309	   example of a SHA-384 DigestAlgorithm element is:

311	   <DigestAlgorithm
312	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384" />

314	   A SHA-384 digest is a 384-bit string. The content of the DigestValue
315	   element SHALL be the base64 [RFC4648] encoding of this string viewed
316	   as a 48-octet stream.

318	2.1.4 Whirlpool

320	   Identifier:
321	        http://www.w3.org/2007/05/xmldsig-more#whirlpool

323	   The Whirlpool algorithm [10118-3] takes no explicit parameters. An
324	   example of a Whirlpool DigestAlgorithm element is:

326	   <DigestAlgorithm
327	      Algorithm="http://www.w3.org/2007/05/xmldsig-more#whirlpool" />

329	   A Whirlpool digest is a 512-bit string.  The content of the
330	   DigestValue element SHALL be the base64 [RFC4648] encoding of this
331	   string viewed as a 64-octet stream.

333	2.1.5 SHA3 Algorithms

335	   Identifiers:
336	        http://www.w3.org/2007/05/xmldsig-more#sha3-224
337	        http://www.w3.org/2007/05/xmldsig-more#sha3-256
338	        http://www.w3.org/2007/05/xmldsig-more#sha3-384
339	        http://www.w3.org/2007/05/xmldsig-more#sha3-512

341	   NIST conducted a hash function competition for an alternative to the
342	   SHA family.  The Keccak-f[1600] algorithm was selected [Keccak].
343	   This hash function is commonly referred to as "SHA-3" [FIPS202].

345	   A SHA-3 224, 256, 384, and 512 digest is a 224-, 256-, 384-, and
346	   512-bit string, respectively.  The content of the DigestValue element
347	   SHALL be the base64 [RFC4648] encoding of this string viewed as a
348	   28-, 32-, 48-, and 64-octet stream, respectively. An example of a
349	   SHA3-224 DigestAlgorithm element is:

351	   <DigestAlgorithm
352	      Algorithm="http://www.w3.org/2007/05/xmldsig-more#sha3-224" />

354	2.2 SignatureMethod MAC Algorithms

356	   This section covers SignatureMethod MAC (Message Authentication Code)
357	   Algorithms.

359	   Note: Some text in this section is duplicated from [RFC3275] for the
360	   convenience of the reader. [RFC3275] is normative in case of
361	   conflict.

363	2.2.1 HMAC-MD5

365	   Identifier:
366	        http://www.w3.org/2001/04/xmldsig-more#hmac-md5

368	   The HMAC algorithm [RFC2104] takes the truncation length in bits as a
369	   parameter; if the parameter is not specified, then all the bits of
370	   the hash are output. An example of an HMAC-MD5 SignatureMethod
371	   element is as follows:

373	   <SignatureMethod
374	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-md5">
375	      <HMACOutputLength>112</HMACOutputLength>
376	   </SignatureMethod>

378	   The output of the HMAC algorithm is the output (possibly truncated)
379	   of the chosen digest algorithm. This value SHALL be base64 [RFC4648]
380	   encoded in the same straightforward fashion as the output of the
381	   digest algorithms. Example: the SignatureValue element for the HMAC-
382	   MD5 digest

384	        9294727A 3638BB1C 13F48EF8 158BFC9D

386	   from the test vectors in [RFC2104] would be

388	        kpRyejY4uxwT9I74FYv8nQ==

390	   Schema Definition:

392	        <simpleType name="HMACOutputLength">
393	           <restriction base="integer"/>
394	        </simpleType>

396	   DTD:

398	        <!ELEMENT HMACOutputLength (#PCDATA) >

400	   The Schema Definition and DTD immediately above are copied from
401	   [RFC3275].

403	   See [RFC6151] for HMAC-MD5 security considerations.

405	2.2.2 HMAC SHA Variations

407	   Identifiers:
408	        http://www.w3.org/2001/04/xmldsig-more#hmac-sha224
409	        http://www.w3.org/2001/04/xmldsig-more#hmac-sha256
410	        http://www.w3.org/2001/04/xmldsig-more#hmac-sha384
411	        http://www.w3.org/2001/04/xmldsig-more#hmac-sha512

413	   SHA-224, SHA-256, SHA-384, and SHA-512 [FIPS180-4] [RFC6234] can also
414	   be used in HMAC as described in Section 2.2.1 above for HMAC-MD5.

416	2.2.3 HMAC-RIPEMD160

418	   Identifier:
419	        http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160

421	   RIPEMD-160 [10118-3] is a 160-bit hash that is used here in HMAC. The
422	   output can be optionally truncated. An example is as follows:

424	   <SignatureMethod
425	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160">
426	      <HMACOutputLength>144</HMACOutputLength>
427	   </SignatureMethod>

429	2.2.4 Poly1305

431	   Identifier:
432	        http://www.w3.org/2021/04/xmldsig-more#poly1305

434	   Poly1305 [RFC8439] [Poly1305] is a high-speed message authentication
435	   code algorithm. It takes a 32-octet one-time key and a message and
436	   produces a 16-octet tag which is used to authenticate the message. An
437	   example of a Poly1305 SignatureMethod element is as follows:

439	   <SignatureMethod
440	      Algorithm="http://www.w3.org/2021/04/xmldsig-more#poly1305"/>

442	2.2.5 SipHash-2-4

444	   Identifier:
445	        http://www.w3.org/2021/04/xmldsig-more#siphash-2-4

447	   SipHash [SipHash1] [SipHash2] computes a 64-bit MAC from a 128-bit
448	   secret key and a variable length message. An example of a SipHash-2-4
449	   SignatureMethod element is as follows:

451	   <SignatureMethod
452	      Algorithm="http://www.w3.org/2021/04/xmldsig-more#siphash-2-4"/>

454	2.2.6 XMSS and XMSSMT

456	   XMSS (eXtended Merkle Signature Scheme) and XMSSMT (XMSS Multi-Tree)
457	   [RFC8391] are stateful hash-based signature schemes [NIST800-208].
458	   According to NIST, it is believed that the security of these schemes
459	   depends only on the security of the underlying hash functions -- in
460	   particular the infeasibility of finding a preimage or a second
461	   preimage -- and it is believed that the security of these hash
462	   functions will not be broken by the development of large-scale
463	   quantum computers.

465	   For further information on the intended usage of these signature
466	   schemes and the careful state management required to maintain their
467	   strength, see [NIST800-208].

469	   IANA maintains a registry whose entries correspond to the XMSS
470	   Identifiers below (see [XMSS]). The fragment part of the URIs is
471	   formed by replacing occurrences of underscore ("_") in the name
472	   appearing in the IANA Registry with hyphen ("-").

474	   Identifiers for XMSS:
475	        http://www.w3.org/2021/04/xmldsig-more#xmss-sha2-10-192
476	        http://www.w3.org/2021/04/xmldsig-more#xmss-sha2-10-256
477	        http://www.w3.org/2021/04/xmldsig-more#xmss-sha2-10-512
478	        http://www.w3.org/2021/04/xmldsig-more#xmss-sha2-16-192
479	        http://www.w3.org/2021/04/xmldsig-more#xmss-sha2-16-256
480	        http://www.w3.org/2021/04/xmldsig-more#xmss-sha2-16-512
481	        http://www.w3.org/2021/04/xmldsig-more#xmss-sha2-20-192
482	        http://www.w3.org/2021/04/xmldsig-more#xmss-sha2-20-256
483	        http://www.w3.org/2021/04/xmldsig-more#xmss-sha2-20-512
484	        http://www.w3.org/2021/04/xmldsig-more#xmss-shake-10-256
485	        http://www.w3.org/2021/04/xmldsig-more#xmss-shake-10-512
486	        http://www.w3.org/2021/04/xmldsig-more#xmss-shake-16-256
487	        http://www.w3.org/2021/04/xmldsig-more#xmss-shake-16-512
488	        http://www.w3.org/2021/04/xmldsig-more#xmss-shake-20-256
489	        http://www.w3.org/2021/04/xmldsig-more#xmss-shake-20-512
490	        http://www.w3.org/2021/04/xmldsig-more#xmss-shake256-10-192
491	        http://www.w3.org/2021/04/xmldsig-more#xmss-shake256-10-256
492	        http://www.w3.org/2021/04/xmldsig-more#xmss-shake256-16-192
493	        http://www.w3.org/2021/04/xmldsig-more#xmss-shake256-16-256
494	        http://www.w3.org/2021/04/xmldsig-more#xmss-shake256-20-192
495	        http://www.w3.org/2021/04/xmldsig-more#xmss-shake256-20-256

497	   The hash functions used in the XMSS signature schemes above are SHA2
498	   [RFC6234] or one of the two the SHAKE extensible output functions
499	   [FIPS202] as indicated by the second token of the URI extension
500	   (SHAKE means SHAKE128). The tree height for XMSS is 10, 16, or 20 as
501	   indicated by the third token of the URI extension. The SHA2 or SHAKE
502	   output size is 192, 256, or 512 bits as indicated by the final token
503	   of the URI extension. SHA2 with 192 bits of output means
504	   SHA2-256/192, that is, the most significant 192 bits of the SHA-256
505	   hash as specified in [NIST800-208].

507	   IANA maintains a registry whose entries correspond to the XMSSMT
508	   Identifiers below (see [XMSS]). The fragment part of the URIs is
509	   formed by replacing occurrences of underscore ("_") and slash ("/")
510	   in the name appearing in the IANA Registry with hyphen ("-").

512	   Identifiers for XMSSMT:
513	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-20-2-192
514	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-20-2-256
515	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-20-2-512
516	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-20-4-192
517	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-20-4-256
518	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-20-4-512
519	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-40-2-192
520	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-40-2-256
521	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-40-2-512
522	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-40-4-192
523	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-40-4-256
524	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-40-4-512
525	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-40-8-192
526	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-40-8-256
527	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-40-8-512
528	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-60-3-192
529	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-60-3-256
530	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-60-3-512
531	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-60-6-192
532	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-60-6-256
533	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-60-6-512
534	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-60-12-192
535	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-60-12-256
536	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-sha2-60-12-512

538	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-20-2-256
539	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-20-2-512
540	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-20-4-256
541	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-20-4-512
542	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-40-2-256
543	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-40-2-512
544	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-40-4-256
545	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-40-4-512
546	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-40-8-256
547	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-40-8-512
548	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-60-3-256
549	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-60-3-512
550	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-60-6-256
551	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-60-6-512
552	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-60-12-256
553	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake-60-12-512
554	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-20-2-192
555	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-20-2-256
556	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-20-4-192
557	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-20-4-256
558	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-40-2-192
559	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-40-2-256
560	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-40-4-192
561	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-40-4-256
562	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-40-8-192
563	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-40-8-256
564	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-60-3-192
565	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-60-3-256
566	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-60-6-192
567	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-60-6-256
568	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-60-12-192
569	        http://www.w3.org/2021/04/xmldsig-more#xmssmt-shake256-60-12-256

571	   The hash functions used in the XMSSMT signature schemes above are
572	   SHA2 [RFC6234] or one of the two the SHAKE extensible output function
573	   [FIPS202] as indicated by the second token of the URI extension
574	   (SHAKE means SHAKE128). The tree height for XMSSMT is 20, 40, or 60
575	   as indicated by the third token of the URI extension. The number of
576	   layers is indicated by a fourth token. The SHA2, SHAKE, or SHAKE256
577	   output size is 192, 256, or 512 bits as indicated by the final token
578	   of the URI extension.  SHA2 with 192 bits of output means
579	   SHA2-256/192, that is, the most significant 192 bits of the SHA-256
580	   hash as specified in [NIST800-208].

582	   An example of an XMSS SignatureAlgorithm element is:

584	   <SignatureAlgorithm
585	     Algorithm="http://www.w3.org/2021/04/xmldsig-more#xmss-sha2-10-192"
586	     />

588	2.3 SignatureMethod Public Key Signature Algorithms

590	   These algorithms are distinguished from those in Section 2.2 above in
591	   that they use public key methods. That is to say, the signing key is
592	   different from and not feasibly derivable from the verification key.

594	2.3.1 RSA-MD5

596	   Identifier:
597	        http://www.w3.org/2001/04/xmldsig-more#rsa-md5

599	   This implies the PKCS#1 v1.5 padding algorithm described in
600	   [RFC8017]. An example of use is:

602	   <SignatureMethod
603	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5" />

605	   The SignatureValue content for an RSA-MD5 signature is the base64
606	   [RFC4648] encoding of the octet string computed as per [RFC8017],
607	   Section 8.2.1, signature generation for the RSASSA-PKCS1-v1_5
608	   signature scheme. As specified in the EMSA-PKCS1-V1_5-ENCODE function
609	   in [RFC8017], Section 9.2, the value input to the signature function
610	   MUST contain a prepended algorithm object identifier for the hash
611	   function, but the availability of an ASN.1 parser and recognition of
612	   OIDs is not required of a signature verifier. The PKCS#1 v1.5
613	   representation appears as:

615	        CRYPT (PAD (ASN.1 (OID, DIGEST (data))))

617	   The padded ASN.1 will be of the following form:

619	        01 | FF* | 00 | prefix | hash

621	   Vertical bar ("|") represents concatenation. "01", "FF", and "00" are
622	   fixed octets of the corresponding hexadecimal value, and the asterisk
623	   ("*") after "FF" indicates repetition. "hash" is the MD5 digest of
624	   the data. "prefix" is the ASN.1 BER MD5 algorithm designator prefix
625	   required in PKCS #1 [RFC8017], that is,

627	        hex 30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10

629	   This prefix is included to make it easier to use standard
630	   cryptographic libraries. The FF octet MUST be repeated enough times
631	   that the value of the quantity being CRYPTed is exactly one octet
632	   shorter than the RSA modulus.

634	   See [RFC6151] for MD5 security considerations.

636	2.3.2 RSA-SHA256

638	   Identifier:
639	        http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

641	   This implies the PKCS#1 v1.5 padding algorithm [RFC8017] as described
642	   in Section 2.3.1, but with the ASN.1 BER SHA-256 algorithm designator
643	   prefix.  An example of use is:

645	   <SignatureMethod
646	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />

648	2.3.3 RSA-SHA384

650	   Identifier:
651	        http://www.w3.org/2001/04/xmldsig-more#rsa-sha384

653	   This implies the PKCS#1 v1.5 padding algorithm [RFC8017] as described
654	   in Section 2.3.1, but with the ASN.1 BER SHA-384 algorithm designator
655	   prefix.  An example of use is:

657	   <SignatureMethod
658	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" />

660	   Because it takes about the same effort to calculate a SHA-384 message
661	   digest as it does a SHA-512 message digest, it is suggested that RSA-
662	   SHA512 be used in preference to RSA-SHA384 where possible.

664	2.3.4 RSA-SHA512

666	   Identifier:
667	        http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

669	   This implies the PKCS#1 v1.5 padding algorithm [RFC8017] as described
670	   in Section 2.3.1, but with the ASN.1 BER SHA-512 algorithm designator
671	   prefix.  An example of use is:

673	   <SignatureMethod
674	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" />

676	2.3.5 RSA-RIPEMD160

678	   Identifier:
679	        http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160

681	   This implies the PKCS#1 v1.5 padding algorithm [RFC8017] as described
682	   in Section 2.3.1, but with the ASN.1 BER RIPEMD160 algorithm
683	   designator prefix.  An example of use is:

685	   <SignatureMethod
686	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"
687	   />

689	2.3.6 ECDSA-SHA*, ECDSA-RIPEMD160, ECDSA-Whirlpool

691	   Identifiers:
692	        http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1
693	        http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224
694	        http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
695	        http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384
696	        http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
697	        http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-224
698	        http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-256
699	        http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-384
700	        http://www.w3.org/2021/04/xmldsig-more#ecdsa-sha3-512
701	        http://www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd160
702	        http://www.w3.org/2007/05/xmldsig-more#ecdsa-whirlpool

704	   The Elliptic Curve Digital Signature Algorithm (ECDSA) [FIPS186-4] is
705	   the elliptic curve analogue of the Digital Signature Algorithm (DSA)
706	   signature method, i.e., the Digital Signature Standard (DSS). It
707	   takes no explicit parameters. For some detailed specifications of how
708	   to use it with SHA hash functions and XML Digital Signature, please
709	   see [X9.62] and [RFC4050].  The #sha3-*, #ecdsa-ripemd160, and
710	   #ecdsa-whirlpool fragments identify signature methods processed in
711	   the same way as specified by the #ecdsa-sha1 fragment, with the
712	   exception that a SHA3 function (see Section 2.1.5), RIPEMD160, or
713	   Whirlpool (see Section 2.1.4) is used instead of SHA-1.

715	   The output of the ECDSA algorithm consists of a pair of integers
716	   usually referred to as the pair (r, s).  The signature value consists
717	   of the base64 encoding of the concatenation of two octet streams that
718	   respectively result from the octet encoding of the values r and s in
719	   that order.  Conversion from integer to octet-stream must be done
720	   according to the I2OSP operation defined in the [RFC8017]
721	   specification with the l parameter equal to the size of the base
722	   point order of the curve in octets (e.g., 32 for the P-256 curve and
723	   66 for the P-521 curve [FIPS186-4]).

725	   For an introduction to elliptic curve cryptographic algorithms, see
726	   [RFC6090] and note the errata (Errata IDs 2773-2777).

728	2.3.7 ESIGN-SHA*

730	   Identifiers:
731	        http://www.w3.org/2001/04/xmldsig-more#esign-sha1
732	        http://www.w3.org/2001/04/xmldsig-more#esign-sha224
733	        http://www.w3.org/2001/04/xmldsig-more#esign-sha256
734	        http://www.w3.org/2001/04/xmldsig-more#esign-sha384
735	        http://www.w3.org/2001/04/xmldsig-more#esign-sha512

737	   The ESIGN algorithm specified in [IEEEP1363a] is a signature scheme
738	   based on the integer factorization problem.

740	   An example of use is:

742	   <SignatureMethod
743	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#esign-sha1"
744	   />

746	2.3.8 RSA-Whirlpool

748	   Identifier:
749	        http://www.w3.org/2007/05/xmldsig-more#rsa-whirlpool

751	   As in the definition of the RSA-SHA1 algorithm in [XMLDSIG11], the
752	   designator "RSA" means the RSASSA-PKCS1-v1_5 algorithm as defined in
753	   [RFC8017].  When identified through the #rsa-whirlpool fragment
754	   identifier, Whirlpool is used as the hash algorithm instead.  Use of
755	   the ASN.1 BER Whirlpool algorithm designator is implied. That
756	   designator is:

758	        hex 30 4e 30 0a 06 06 28 cf 06 03 00 37 05 00 04 40

760	   as an explicit octet sequence. This corresponds to OID
761	   1.0.10118.3.0.55 defined in [10118-3].

763	   An example of use is:

765	   <SignatureMethod
766	      Algorithm="http://www.w3.org/2007/05/xmldsig-more#rsa-whirlpool"
767	   />

769	2.3.9 RSASSA-PSS with Parameters

771	   Identifiers:
772	        http://www.w3.org/2007/05/xmldsig-more#rsa-pss
773	        http://www.w3.org/2007/05/xmldsig-more#MGF1

775	   These identifiers use the PKCS#1 EMSA-PSS encoding algorithm
776	   [RFC8017].  The RSASSA-PSS algorithm takes the digest method (hash
777	   function), a mask generation function, the salt length in octets
778	   (SaltLength), and the trailer field as explicit parameters.

780	   Algorithm identifiers for hash functions specified in XML encryption
781	   [XMLENC11] [XMLDSIG11] and in Section 2.1 are considered to be valid
782	   algorithm identifiers for hash functions.  According to [RFC8017],
783	   the default value for the digest function is SHA-1, but due to the
784	   discovered weakness of SHA-1 [RFC6194], it is recommended that
785	   SHA-256 or a stronger hash function be used. Notwithstanding
786	   [RFC8017], SHA-256 is the default to be used with these
787	   SignatureMethod identifiers if no hash function has been specified.

789	   The default salt length for these SignatureMethod identifiers, if the
790	   SaltLength is not specified, SHALL be the number of octets in the
791	   hash value of the digest method, as recommended in [RFC4055]. In a
792	   parameterized RSASSA-PSS signature the ds:DigestMethod and the
793	   SaltLength parameters usually appear. If they do not, the defaults
794	   make this equivalent to http://www.w3.org/2007/05/xmldsig-
795	   more#sha256-rsa-MGF1 (see Section 2.3.10). The TrailerField defaults
796	   to 1 (0xBC) when omitted.

798	   Schema Definition (target namespace
799	   http://www.w3.org/2007/05/xmldsig-more#):

801	      <xs:element name="RSAPSSParams" type="pss:RSAPSSParamsType">
802	          <xs:annotation>
803	              <xs:documentation>
804	      Top level element that can be used in xs:any namespace="#other"
805	      wildcard of ds:SignatureMethod content.
806	              </xs:documentation>
807	          </xs:annotation>
808	      </xs:element>
809	      <xs:complexType name="RSAPSSParamsType">
810	          <xs:sequence>
811	              <xs:element ref="ds:DigestMethod" minOccurs="0"/>
812	              <xs:element name="MaskGenerationFunction"
813	                 type="pss:MaskGenerationFunctionType" minOccurs="0"/>
814	              <xs:element name="SaltLength" type="xs:int"
815	                 minOccurs="0"/>
816	              <xs:element name="TrailerField" type="xs:int"
817	                 minOccurs="0"/>
818	          </xs:sequence>
819	      </xs:complexType>
820	      <xs:complexType name="MaskGenerationFunctionType">
821	          <xs:sequence>
822	              <xs:element ref="ds:DigestMethod" minOccurs="0"/>
823	          </xs:sequence>
824	          <xs:attribute name="Algorithm" type="xs:anyURI"
825	             default="http://www.w3.org/2007/05/xmldsig-more#MGF1"/>
826	      </xs:complexType>

828	2.3.10 RSASSA-PSS without Parameters

830	   [RFC8017] currently specifies only one mask generation function MGF1
831	   based on a hash function.  Although [RFC8017] allows for
832	   parameterization, the default is to use the same hash function as the
833	   digest method function.  Only this default approach is supported by
834	   this section; therefore, the definition of a mask generation function
835	   type is not needed yet.  The same applies to the trailer field. There
836	   is only one value (0xBC) specified in [RFC8017].  Hence, this default
837	   parameter must be used for signature generation. The default salt
838	   length is the length of the hash function.

840	   Identifiers:
841	        http://www.w3.org/2007/05/xmldsig-more#sha3-224-rsa-MGF1
842	        http://www.w3.org/2007/05/xmldsig-more#sha3-256-rsa-MGF1
843	        http://www.w3.org/2007/05/xmldsig-more#sha3-384-rsa-MGF1
844	        http://www.w3.org/2007/05/xmldsig-more#sha3-512-rsa-MGF1

846	        http://www.w3.org/2007/05/xmldsig-more#md2-rsa-MGF1
847	        http://www.w3.org/2007/05/xmldsig-more#md5-rsa-MGF1
848	        http://www.w3.org/2007/05/xmldsig-more#sha1-rsa-MGF1
849	        http://www.w3.org/2007/05/xmldsig-more#sha224-rsa-MGF1
850	        http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1
851	        http://www.w3.org/2007/05/xmldsig-more#sha384-rsa-MGF1
852	        http://www.w3.org/2007/05/xmldsig-more#sha512-rsa-MGF1
853	        http://www.w3.org/2007/05/xmldsig-more#ripemd128-rsa-MGF1
854	        http://www.w3.org/2007/05/xmldsig-more#ripemd160-rsa-MGF1
855	        http://www.w3.org/2007/05/xmldsig-more#whirlpool-rsa-MGF1

857	   An example of use is:

859	   <SignatureMethod
860	      Algorithm=
861	      "http://www.w3.org/2007/05/xmldsig-more#SHA3-256-rsa-MGF1"
862	   />

864	2.3.11 RSA-SHA224

866	   Identifier:
867	        http://www.w3.org/2001/04/xmldsig-more#rsa-sha224

869	   This implies the PKCS#1 v1.5 padding algorithm [RFC8017] as described
870	   in Section 2.3.1 but with the ASN.1 BER SHA-224 algorithm designator
871	   prefix.  An example of use is:

873	   <SignatureMethod
874	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224" />

876	   Because it takes about the same effort to calculate a SHA-224 message
877	   digest as it does a SHA-256 message digest, it is suggested that RSA-
878	   SHA256 be used in preference to RSA-SHA224 where possible.

880	   See also Appendix B concerning an erroneous version of this URI that
881	   appeared in [RFC6931].

883	2.3.12 Edwards-Curve

885	   The Edwards-curve Digital Signature Algorithm (EdDSA) is a variant of
886	   Schnorr's signature system with Edwards curves. A specification is
887	   provided and some advantages listed in [RFC8032]. The general EdDSA
888	   takes 11 parameters that must be carefully chosen for secure and
889	   efficient operation. Identifiers for two variants, Ed25519 and Ed448,
890	   are given below.

892	   Ed25519 uses 32-octet public keys and produces 64-octet signatures.
893	   It provides about 128 bits of security and uses SHA-512 [RFC6234]
894	   internally as part of signature generation.

896	   Ed448 uses 57-octet public keys and produces 114-octet signatures. It
897	   provides about 224 bits of security and uses "SHAKE256" [FIPS202]
898	   internally as part of signature generation.  (SHAKE256 is specified
899	   by NIST as an "Extensible Output Function" and not specified or
900	   approved by NIST as a secure hash function.)

902	   For further information on the variants of EdDSA identified below,
903	   see [RFC8032].

905	   Identifiers:
906	        http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519ph
907	        http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519ctx
908	        http://www.w3.org/2021/04/xmldsig-more#eddsa-ed25519

910	        http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448
911	        http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448ph

913	   An example of use is:

915	   <SignatureMethod Algorithm=
916	      "http://www.w3.org/2021/04/xmldsig-more#eddsa-ed448" />

918	2.4 Minimal Canonicalization

920	   Thus far, two independent interoperable implementations of Minimal
921	   Canonicalization have not been announced.  Therefore, when XML
922	   Digital Signature was advanced along the Standards Track from
923	   [RFC3075] to [RFC3275], Minimal Canonicalization was dropped.
924	   However, there was still interest.  For its definition, see Section
925	   6.5.1 of [RFC3075].

927	   For reference, its identifier remains:
928	        http://www.w3.org/2000/09/xmldsig#minimal

930	2.5 Transform Algorithms

932	   The XPointer Transform algorithm syntax is described below. All
933	   CanonicalizationMethod algorithms can also be used as Transform
934	   algorithms.

936	2.5.1 XPointer

938	   Identifier:
939	        http://www.w3.org/2001/04/xmldsig-more#xptr

941	   This transform algorithm takes an [XPointer] as an explicit
942	   parameter.  An example of use is:

944	   <Transform
945	      Algorithm="http://www.w3.org/2001/04/xmldsig-more/xptr">
946	      <XPointer
947	         xmlns="http://www.w3.org/2001/04/xmldsig-more/xptr">
948	            xpointer(id("foo")) xmlns(bar=http://foobar.example)
949	            xpointer(//bar:Zab[@Id="foo"])
950	      </XPointer>
951	   </Transform>

953	   Schema Definition:

955	        <element name="XPointer" type="string"/>

957	   DTD:

959	        <!ELEMENT XPointer (#PCDATA) >

961	   Input to this transform is an octet stream (which is then parsed into
962	   XML).

964	   Output from this transform is a node set; the results of the XPointer
965	   are processed as defined in the XMLDSIG specification [RFC3275] for a
966	   same-document XPointer.

968	2.6 EncryptionMethod Algorithms

970	   This subsection gives identifiers and information for several
971	   EncryptionMethod Algorithms.

973	2.6.1 ARCFOUR Encryption Algorithm

975	   Identifier:
976	        http://www.w3.org/2001/04/xmldsig-more#arcfour

978	   ARCFOUR is a fast, simple stream encryption algorithm that is
979	   compatible with RSA Security's RC4 algorithm [RC4] (Rivest Cipher 4);
980	   however, RC4 has been found to have a number of weaknesses and its
981	   use is prohibited in several IETF protols, for example TLS [RFC7465].
982	   An example EncryptionMethod element using ARCFOUR is:

984	   <EncryptionMethod
985	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#arcfour">
986	      <KeySize>40</KeySize>
987	   </EncryptionMethod>

989	   Arcfour makes use of the generic KeySize parameter specified and
990	   defined in [XMLENC11].

992	2.6.2 Camellia Block Encryption

994	   Identifiers:
995	        http://www.w3.org/2001/04/xmldsig-more#camellia128-cbc
996	        http://www.w3.org/2001/04/xmldsig-more#camellia192-cbc
997	        http://www.w3.org/2001/04/xmldsig-more#camellia256-cbc

999	   Camellia is a block cipher with the same interface as the AES
1000	   [Camellia] [RFC3713]; it has a 128-bit block size and 128-, 192-, and
1001	   256-bit key sizes. In XML Encryption Camellia is used in the same way
1002	   as the AES: It is used in the Cipher Block Chaining (CBC) mode with a
1003	   128-bit initialization vector (IV). The resulting cipher text is
1004	   prefixed by the IV. If included in XML output, it is then base64
1005	   encoded. An example Camellia EncryptionMethod is as follows:

1007	   <EncryptionMethod
1008	      Algorithm=
1009	      "http://www.w3.org/2001/04/xmldsig-more#camellia128-cbc"
1010	   />

1012	2.6.3 Camellia Key Wrap

1014	   Identifiers:
1015	        http://www.w3.org/2001/04/xmldsig-more#kw-camellia128
1016	        http://www.w3.org/2001/04/xmldsig-more#kw-camellia192
1017	        http://www.w3.org/2001/04/xmldsig-more#kw-camellia256

1019	   Camellia [Camellia] [RFC3713] key wrap is identical to the AES key
1020	   wrap algorithm [RFC3394] specified in the XML Encryption standard
1021	   with "AES" replaced by "Camellia". As with AES key wrap, the check
1022	   value is 0xA6A6A6A6A6A6A6A6.

1024	   The algorithm is the same whatever the size of the Camellia key used
1025	   in wrapping, called the "key encrypting key" or "KEK". If Camellia is
1026	   supported, it is particularly suggested that wrapping 128-bit keys
1027	   with a 128-bit KEK and wrapping 256-bit keys with a 256-bit KEK be
1028	   supported.

1030	   An example of use is:

1032	   <EncryptionMethod
1033	      Algorithm=
1034	      "http://www.w3.org/2001/04/xmldsig-more#kw-camellia128"
1035	   />

1037	2.6.4 PSEC-KEM, RSAES-KEM, and ECIES-KEM

1039	   Identifiers:
1040	        http://www.w3.org/2001/04/xmldsig-more#psec-kem
1041	        http://www.w3.org/2010/xmlsec-ghc#rsaes-kem
1042	        http://www.w3.org/2010/xmlsec-ghc#ecies-kem

1044	   These algorithms, specified in [18033-2], are key encapsulation
1045	   mechanisms using elliptic curve or RSA encryption. RSAEA-KEM and
1046	   ECIES-KEM are also specified in [GENERIC].

1048	   An example of use of PSEC-KEM is:

1050	   <EncryptionMethod
1051	      Algorithm="http://www.w3.org/2001/04/xmldsig-more#psec-kem">
1052	      <ECParameters>
1053	         <Version>version</Version>
1054	         <FieldID>id</FieldID>
1055	         <Curve>curve</Curve>
1056	         <Base>base</Base>
1057	         <Order>order</Order>
1058	         <Cofactor>cofactor</Cofactor>
1059	      </ECParameters>
1060	   </EncryptionMethod>

1062	   See [18033-2] for information on the parameters above.

1064	2.6.5 SEED Block Encryption

1066	   Identifier:
1067	        http://www.w3.org/2007/05/xmldsig-more#seed128-cbc

1069	   SEED [RFC4269] is a block cipher with a 128-bit block size and
1070	   128-bit key size. In XML Encryption, SEED can be used in the Cipher
1071	   Block Chaining (CBC) mode with a 128-bit initialization vector (IV).
1072	   The resulting cipher text is prefixed by the IV. If included in XML
1073	   output, it is then base64 encoded.

1075	   An example SEED EncryptionMethod is as follows:

1077	   <EncryptionMethod
1078	      Algorithm="http://www.w3.org/2007/05/xmldsig-more#seed128-cbc" />

1080	2.6.6 SEED Key Wrap

1082	   Identifier:
1083	        http://www.w3.org/2007/05/xmldsig-more#kw-seed128

1085	   Key wrapping with SEED is identical to Section 2.2.1 of [RFC3394]
1086	   with "AES" replaced by "SEED". The algorithm is specified in
1087	   [RFC4010].  The implementation of SEED is optional. The default
1088	   initial value is 0xA6A6A6A6A6A6A6A6.

1090	   An example of use is:

1092	   <EncryptionMethod
1093	      Algorithm=
1094	      "http://www.w3.org/2007/05/xmldsig-more#kw-seed128"
1095	   />

1097	2.6.7 ChaCha20

1099	   Identifier:
1100	        http://www.w3.org/2021/04/xmldsig-more#chacha20

1102	   ChaCha20 [RFC8439], a stream cipher, is a variant of Salsa20
1103	   [ChaCha]. It is considerably faster than AES in software-only
1104	   implementations. In addition to a 256-bit key and the plain text to
1105	   be encrypted, ChaCha20 takes a 96-bit Nonce and an initial 32-bit
1106	   Counter. The Nonce and Counter are represented as hex in nested
1107	   elements as shown below.

1109	   An example of use is:

1111	   <EncryptionMethod
1112	      Algorithm=
1113	      "http://www.w3.org/2021/04/xmldsig-more#chacha20">
1114	      <Nonce>0123456789abcdef01234567</Nonce>
1115	      <Counter>fedcba09</Counter>
1116	   </EncryptionMethod>

1118	2.6.8 ChaCha20+Poly1305

1120	   Identifier:
1121	        http://www.w3.org/2021/04/xmldsig-more#chacha20poly1305

1123	   ChaCha20+Poly1305 is an Authenticated Encryption with Additional Data
1124	   (AEAD) algorithm. In addition to a 256-bit key and plain text to be
1125	   encrypted and authenticated, ChaCha20+Poly1305 takes a 96-bit Nonce
1126	   and variable length Additional Authenticated Data (AAD). The Nonce is
1127	   represented as a child element of the EncryptionMethod element with a
1128	   hex value. The AAD is a string which may be null. The AAD element may
1129	   be absent in which case the AAD is null. The CipherData, either
1130	   present in the CipherValue or by reference, is the concatenation of
1131	   the encrypted ChaCha20 output and the Poly1305 128-bit tag.

1133	   An example of use is:

1135	   <EncryptionMethod
1136	      Algorithm=
1137	      "http://www.w3.org/2021/04/xmldsig-more#chacha20poly1305">
1138	      <Nonce>0123456789abcdef01234567</Nonce>
1139	      <AAD>The quick brown fox jumps over the lazy dog.</AAD>
1140	   </EncryptionMethod>

1142	2.7 Key AgreementMethod Algorithms

1144	   This subsection gives identifiers and information
1145	     - for an additional key AgreementMethod Algorithm [XMLENC11] and
1146	     - for a key derivation function HKDF since such an algorithm fits
1147	       most naturally as an "AgreementMethod".

1149	2.7.1 X25519 and X448 Key Agreement

1151	   Identifier:
1152	        http://www.w3.org/2021/04/xmldsig-more#x25519
1153	        http://www.w3.org/2021/04/xmldsig-more#x448

1155	   The X25519 and X448 key agreement algorithms are specified in
1156	   [RFC7748].

1158	2.7.2 HKDF Key Derivation

1160	   This section covers the HMAC-based Extract-and-Expand Key Derivation
1161	   Function (HKDF [RFC5869]).

1163	   Identifier:
1164	        http://www.w3.org/2021/04/xmldsig-more#hkdf

1166	   Although perhaps not exactly the sort of key agreement algorithm for
1167	   which the AgreementMethod element was originally specified to go
1168	   under the KeyInfo element, this is the most natural way to classify
1169	   key derivation algorithms in XML security.

1171	   HKDF takes as inputs a hash function, an optional non-secret "salt",
1172	   initial keying material (IKM), optional context and application
1173	   specific "info", and the required output keying size. Note that these
1174	   strictly determine the output so, for example, invoking HKDF at
1175	   different times but with the same salt, info, initial keying
1176	   material, and output key size will produce identical output keying
1177	   material.

1179	   The inputs can be supplied to HKDF as follows:

1181	     hash function: The algorithm attribute of a child DigestMethod
1182	       element.

1184	     salt: The content of a Salt child element of AgreementMethod in
1185	       hex. If not provided, a string of zero octets as long as the hash
1186	       function output is used as specified in [RFC5869].

1188	     IKM: The content of an OriginatorKeyInfo child element of
1189	       AgreementMethod in hex. May be absent in some applications where
1190	       this is known through some other method.

1192	     info: The content of the KA-Nonce child element of AgreementMethod
1193	       in hex.

1195	     size: The content of a KeySize child element of AgreementMethod as
1196	       a decimal number.

1198	   Here is the test case from Section A.1 in Appendix A to [RFC5869] as
1199	   an example:

1201	   <AgreementMethod
1202	     algorithm="http://www.w3.org/2021/04/xmldsig-more#hkdf">
1203	     <DigestMethod
1204	       algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
1205	     <Salt>000102030405060708090a0b0c</Salt>
1206	     <OriginatorKeyInfo>0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
1207	     </OriginatorKeyInfo>
1208	     <KA-Nonce>f0f1f2f3f4f5f6f7f8f9</KA-Nonce>
1209	     <KeySize>42</KeySize>
1210	   </AgreementMethod>

1212	3. KeyInfo

1214	   In Section 3.1 below, a KeyInfo element child is specified, while in
1215	   Section 3.2, additional KeyInfo Type values for use in
1216	   RetrievalMethod are specified.

1218	3.1 PKCS #7 Bag of Certificates and CRLs

1220	   A PKCS #7 [RFC2315] "signedData" can also be used as a bag of
1221	   certificates and/or certificate revocation lists (CRLs).  The
1222	   PKCS7signedData element is defined to accommodate such structures
1223	   within KeyInfo.  The binary PKCS #7 structure is base64 [RFC4648]
1224	   encoded.  Any signer information present is ignored.  The following
1225	   is an example [RFC3092], eliding the base64 data:

1227	   <foo:PKCS7signedData
1228	      xmlns:foo="http://www.w3.org/2001/04/xmldsig-more">
1229	      ...
1230	   </foo:PKCS7signedData>

1232	3.2 Additional RetrievalMethod Type Values

1234	   The Type attribute of RetrievalMethod is an optional identifier for
1235	   the type of data to be retrieved. The result of dereferencing a
1236	   RetrievalMethod reference for all KeyInfo types with an XML structure
1237	   is an XML element or document with that element as the root. The
1238	   various "raw" key information types return a binary value. Thus, they
1239	   require a Type attribute because they are not unambiguously parsable.

1241	   Identifiers:
1242	        http://www.w3.org/2001/04/xmldsig-more#KeyName
1243	        http://www.w3.org/2001/04/xmldsig-more#KeyValue
1244	        http://www.w3.org/2001/04/xmldsig-more#PKCS7signedData
1245	        http://www.w3.org/2001/04/xmldsig-more#rawPGPKeyPacket
1246	        http://www.w3.org/2001/04/xmldsig-more#rawPKCS7signedData
1247	        http://www.w3.org/2001/04/xmldsig-more#rawSPKISexp
1248	        http://www.w3.org/2001/04/xmldsig-more#rawX509CRL
1249	        http://www.w3.org/2001/04/xmldsig-more#RetrievalMethod

1251	4. Indexes

1253	   The following subsections provide an index by URI and by fragment
1254	   identifier (the portion of the URI after "#") of the algorithm and
1255	   KeyInfo URIs defined in this document and in the standards plus the
1256	   one KeyInfo child element name defined in this document. The
1257	   "Sec/Doc" column has the section of this document or, if not
1258	   specified in this document, the standards document where the item is
1259	   specified. See also [XMLSECXREF].

1261	4.1 Index by Fragment Index

1263	   The initial "http://www.w3.org/" part of the URI is not included
1264	   below. The first six entries have a null fragment identifier or no
1265	   fragment identifier. "{Bad}" indicates a Bad value that was
1266	   accidentally included in [RFC6931]. Implementations SHOULD only
1267	   generate the correct URI but SHOULD understand both the correct and
1268	   erroneous URI. See also Appendix B.

1270	   Fragment            URI                                  Sec/Doc
1271	   ---------           ----                                --------
1272	                       2002/06/xmldsig-filter2               [XPATH]
1273	                       2006/12/xmlc12n11#   {Bad}          [CANON11]
1274	                       2006/12/xmlc14n11#                  [CANON11]
1275	                       TR/1999/REC-xslt-19991116              [XSLT]
1276	                       TR/1999/REC-xpath-19991116            [XPATH]
1277	                       TR/2001/06/xml-exc-c14n#             [XCANON]
1278	                       TR/2001/REC-xml-c14n-20010315       [CANON10]
1279	                       TR/2001/REC-xmlschema-1-20010502     [Schema]

1281	   aes128-cbc          2001/04/xmlenc#aes128-cbc          [XMLENC11]
1282	   aes128-gcm          2009/xmlenc11#aes128-gcm           [XMLENC11]
1283	   aes192-cbc          2001/04/xmlenc#aes192-cbc          [XMLENC11]
1284	   aes192-gcm          2009/xmlenc11#aes192-gcm           [XMLENC11]
1285	   aes256-cbc          2001/04/xmlenc#aes256-cbc          [XMLENC11]
1286	   aes256-gcm          2009/xmlenc11#aes256-gcm           [XMLENC11]
1287	   arcfour             2001/04/xmldsig-more#arcfour           2.6.1

1289	   base64              2000/09/xmldsig#base64              [RFC3275]

1291	   camellia128-cbc     2001/04/xmldsig-more#camellia128-cbc   2.6.2
1292	   camellia192-cbc     2001/04/xmldsig-more#camellia192-cbc   2.6.2
1293	   camellia256-cbc     2001/04/xmldsig-more#camellia256-cbc   2.6.2
1294	   chacha20            2021/04/xmldsig-more#chacha20          2.6.7
1295	   chacha20poly1305    2021/04/xmldsig-more#chacha20poly1305  2.6.8
1296	   ConcatKDF           2009/xmlenc11#ConcatKDF            [XMLENC11]
1297	   decrypt#XML         2002/07/decrypt#XML                 [DECRYPT]
1298	   decrypt#Binary      2002/07/decrypt#Binary              [DECRYPT]
1299	   DEREncodedKeyValue  2009/xmldsig11#DEREncodedKeyValue [XMLDSIG11]
1300	   dh                  2001/04/xmlenc#dh                  [XMLENC11]
1301	   dh-es               2009/xmlenc11#dh-es                [XMLENC11]
1302	   dsa-sha1            2000/09/xmldsig#dsa-sha1            [RFC3275]
1303	   dsa-sha256          2009/xmldsig11#dsa-sha256         [XMLDSIG11]
1304	   DSAKeyValue         2000/09/xmldsig#DSAKeyValue       [XMLDSIG11]

1306	   ECDH-ES             2009/xmlenc11#ECDH-ES              [XMLENC11]
1307	   ecdsa-ripemd160     2007/05/xmldsig-more#ecdsa-ripemd160   2.3.6
1308	   ecdsa-sha1          2001/04/xmldsig-more#ecdsa-sha1        2.3.6
1309	   ecdsa-sha224        2001/04/xmldsig-more#ecdsa-sha224      2.3.6
1310	   ecdsa-sha256        2001/04/xmldsig-more#ecdsa-sha256      2.3.6
1311	   ecdsa-sha384        2001/04/xmldsig-more#ecdsa-sha384      2.3.6
1312	   ecdsa-sha512        2001/04/xmldsig-more#ecdsa-sha512      2.3.6
1313	   ecdsa-sha3-224      2021/04/xmldsig-more#ecdsa-sha3-224    2.3.6
1314	   ecdsa-sha3-256      2021/04/xmldsig-more#ecdsa-sha3-256    2.3.6
1315	   ecdsa-sha3-384      2021/04/xmldsig-more#ecdsa-sha3-384    2.3.6
1316	   ecdsa-sha3-512      2021/04/xmldsig-more#ecdsa-sha3-512    2.3.6
1317	   ecdsa-whirlpool     2007/05/xmldsig-more#ecdsa-whirlpool   2.3.5
1318	   ecies-kem           2010/xmlsec-ghc#ecies-kem           [GENERIC]
1319	   ECKeyValue          2009/xmldsig11#ECKeyValue         [XMLDSIG11]
1320	   eddsa-ed25519       2021/04/xmldsig-more#eddsa-ed25519    2.3.12
1321	   eddsa-ed25519ctx    2021/04/xmldsig-more#eddsa-ed25519ctx 2.3.12
1322	   eddsa-ed25519ph     2021/04/xmldsig-more#eddsa-ed25519ph  2.3.12
1323	   eddsa-ed448         2021/04/xmldsig-more#eddsa-ed448      2.3.12
1324	   eddsa-ed448ph       2021/04/xmldsig-more#eddsa-ed448ph    2.3.12
1325	   enveloped-signature 2000/09/xmldsig#enveloped-signature [RFC3275]
1326	   esign-sha1          2001/04/xmldsig-more#esign-sha1        2.3.7
1327	   esign-sha224        2001/04/xmldsig-more#esign-sha224      2.3.7
1328	   esign-sha256        2001/04/xmldsig-more#esign-sha256      2.3.7
1329	   esign-sha384        2001/04/xmldsig-more#esign-sha384      2.3.7
1330	   esign-sha512        2001/04/xmldsig-more#esign-sha512      2.3.7

1332	   generic-hybrid      2010/xmlsec-ghc#generic-hybrid      [GENERIC]

1334	   hkdf                2021/04/xmldsig-more#hkdf              2.7.2
1335	   hmac-md5            2001/04/xmldsig-more#hmac-md5          2.2.1
1336	   hmac-ripemd160      2001/04/xmldsig-more#hmac-ripemd160    2.2.3
1337	   hmac-sha1           2000/09/xmldsig#hmac-sha1           [RFC3275]
1338	   hmac-sha224         2001/04/xmldsig-more#hmac-sha224       2.2.2
1339	   hmac-sha256         2001/04/xmldsig-more#hmac-sha256       2.2.2
1340	   hmac-sha384         2001/04/xmldsig-more#hmac-sha384       2.2.2
1341	   hmac-sha512         2001/04/xmldsig-more#hmac-sha512       2.2.2

1343	   KeyName             2001/04/xmldsig-more#KeyName           3.2
1344	   KeyValue            2001/04/xmldsig-more#KeyValue          3.2
1345	   kw-aes128           2001/04/xmlenc#kw-aes128           [XMLENC11]
1346	   kw-aes128-pad       2009/xmlenc11#kw-aes-128-pad       [XMLENC11]
1347	   kw-aes192           2001/04/xmlenc#kw-aes192           [XMLENC11]
1348	   kw-aes192-pad       2009/xmlenc11#kw-aes-192-pad       [XMLENC11]
1349	   kw-aes256           2001/04/xmlenc#kw-aes256           [XMLENC11]
1350	   kw-aes256-pad       2009/xmlenc11#kw-aes-256-pad       [XMLENC11]
1351	   kw-camellia128      2001/04/xmldsig-more#kw-camellia128    2.6.3
1352	   kw-camellia192      2001/04/xmldsig-more#kw-camellia192    2.6.3
1353	   kw-camellia256      2001/04/xmldsig-more#kw-camellia256    2.6.3
1354	   kw-seed128          2007/05/xmldsig-more#kw-seed128        2.6.6

1356	   md2-rsa-MGF1        2007/05/xmldsig-more#md2-rsa-MGF1      2.3.10
1357	   md5                 2001/04/xmldsig-more#md5               2.1.1
1358	   md5-rsa-MGF1        2007/05/xmldsig-more#md5-rsa-MGF1      2.3.10
1359	   MGF1                2007/05/xmldsig-more#MGF1              2.3.9
1360	   mgf1sha1            2009/xmlenc11#mgf1sha1             [XMLENC11]
1361	   mgf1sha224          2009/xmlenc11#mgf1sha224           [XMLENC11]
1362	   mgf1sha256          2009/xmlenc11#mgf1sha256           [XMLENC11]
1363	   mgf1sha384          2009/xmlenc11#mgf1sha384           [XMLENC11]
1364	   mgf1sha512          2009/xmlenc11#mgf1sha512           [XMLENC11]
1365	   MgmtData            2000/09/xmldsig#MgmtData          [XMLDSIG11]
1366	   minimal             2000/09/xmldsig#minimal                2.4

1368	   pbkdf2              2009/xmlenc11#pbkdf2               [XMLENC11]
1369	   PGPData             2000/09/xmldsig#PGPData           [XMLDSIG11]
1370	   PKCS7signedData     2001/04/xmldsig-more#PKCS7signedData   3.1
1371	   PKCS7signedData     2001/04/xmldsig-more#PKCS7signedData   3.2
1372	   poly1305            2021/04/xmldsig-more#poly1305          2.2.4
1373	   psec-kem            2001/04/xmldsig-more#psec-kem          2.6.4

1375	   rawPGPKeyPacket     2001/04/xmldsig-more#rawPGPKeyPacket   3.2
1376	   rawPKCS7signedData  2001/04/xmldsig-more#rawPKCS7signedData 3.2
1377	   rawSPKISexp         2001/04/xmldsig-more#rawSPKISexp       3.2
1378	   rawX509Certificate  2000/09/xmldsig#rawX509Certificate  [RFC3275]
1379	   rawX509CRL          2001/04/xmldsig-more#rawX509CRL        3.2
1380	   RetrievalMethod     2001/04/xmldsig-more#RetrievalMethod   3.2
1381	   ripemd128-rsa-MGF1  2007/05/xmldsig-more#ripemd128-rsa-MGF1
1382	                                                              2.3.10
1383	   ripemd160           2001/04/xmlenc#ripemd160           [XMLENC11]
1384	   ripemd160-rsa-MGF1  2007/05/xmldsig-more#ripemd160-rsa-MGF1
1385	                                                              2.3.10
1386	   rsa-1_5             2001/04/xmlenc#rsa-1_5             [XMLENC11]
1387	   rsa-md5             2001/04/xmldsig-more#rsa-md5           2.3.1
1388	   rsa-oaep            2009/xmlenc11#rsa-oaep             [XMLENC11]
1389	   rsa-oaep-mgf1p      2001/04/xmlenc#rsa-oaep-mgf1p      [XMLENC11]
1390	   rsa-pss             2007/05/xmldsig-more#rsa-pss           2.3.9
1391	   rsa-ripemd160       2001/04/xmldsig-more#rsa-ripemd160     2.3.5
1392	   rsa-sha1            2000/09/xmldsig#rsa-sha1            [RFC3275]
1393	   rsa-sha224          2007/05/xmldsig-more#rsa-sha224 {Bad}  2.3.11
1394	   rsa-sha224          2001/04/xmldsig-more#rsa-sha224        2.3.11
1395	   rsa-sha256          2001/04/xmldsig-more#rsa-sha256        2.3.2
1396	   rsa-sha384          2001/04/xmldsig-more#rsa-sha384        2.3.3
1397	   rsa-sha512          2001/04/xmldsig-more#rsa-sha512        2.3.4
1398	   rsa-whirlpool       2007/05/xmldsig-more#rsa-whirlpool     2.3.5
1399	   rsaes-kem           2010/xmlsec-ghc#rsaes-kem           [GENERIC]
1400	   RSAKeyValue         2000/09/xmldsig#RSAKeyValue       [XMLDSIG11]

1402	   seed128-cbc         2007/05/xmldsig-more#seed128-cbc       2.6.5
1403	   sha1                2000/09/xmldsig#sha1                [RFC3275]
1404	   sha1-rsa-MGF1       2007/05/xmldsig-more#sha1-rsa-MGF1     2.3.10
1405	   sha224              2001/04/xmldsig-more#sha224            2.1.2
1406	   sha224-rsa-MGF1     2007/05/xmldsig-more#sha224-rsa-MGF1   2.3.10
1407	   sha256              2001/04/xmlenc#sha256              [XMLENC11]
1408	   sha256-rsa-MGF1     2007/05/xmldsig-more#sha256-rsa-MGF1   2.3.10
1409	   sha3-224            2007/05/xmldsig-more#sha3-224          2.1.5
1410	   sha3-224-rsa-MGF1   2007/05/xmldsig-more#sha3-224-rsa-MGF1 2.3.10
1411	   sha3-256            2007/05/xmldsig-more#sha3-256          2.1.5
1412	   sha3-256-rsa-MGF1   2007/05/xmldsig-more#sha3-256-rsa-MGF1 2.3.10
1413	   sha3-384            2007/05/xmldsig-more#sha3-384          2.1.5
1414	   sha3-384-rsa-MGF1   2007/05/xmldsig-more#sha3-384-rsa-MGF1 2.3.10
1415	   sha3-512            2007/05/xmldsig-more#sha3-512          2.1.5
1416	   sha3-512-rsa-MGF1   2007/05/xmldsig-more#sha3-512-rsa-MGF1 2.3.10
1417	   sha384              2001/04/xmldsig-more#sha384            2.1.3
1418	   sha384-rsa-MGF1     2007/05/xmldsig-more#sha384-rsa-MGF1   2.3.10
1419	   sha512              2001/04/xmlenc#sha512              [XMLENC11]
1420	   sha512-rsa-MGF1     2007/05/xmldsig-more#sha512-rsa-MGF1   2.3.10
1421	   siphash-2-4         2021/04/xmldsig-more#siphash-2-4       2.2.5
1422	   SPKIData            2000/09/xmldsig#SPKIData          [XMLDSIG11]

1424	   tripledes-cbc       2001/04/xmlenc#tripledes-cbc       [XMLENC11]

1426	   whirlpool           2007/05/xmldsig-more#whirlpool         2.1.4
1427	   whirlpool-rsa-MGF1  2007/05/xmldsig-more#whirlpool-rsa-MGF1
1428	                                                              2.3.10
1429	   WithComments        2006/12/xmlc14n11#WithComments      [CANON11]
1430	   WithComments        TR/2001/06/xml-exc-c14n#WithComments
1431	                                                            [XCANON]
1432	   WithComments        TR/2001/REC-xml-c14n-20010315#WithComments
1433	                                                           [CANON10]

1435	   x25519              2021/04/xmldsig-more#x25519            2.7.1
1436	   x448                2021/04/xmldsig-more#x448              2.7.1
1437	   X509Data            2000/09/xmldsig#X509Data          [XMLDSIG11]

1439	   xmss-sha2-10-192    2021/04/xmldsig-more#xmss-sha2-10-192  2.2.6
1440	   xmss-sha2-10-256    2021/04/xmldsig-more#xmss-sha2-10-256  2.2.6
1441	   xmss-sha2-10-512    2021/04/xmldsig-more#xmss-sha2-10-512  2.2.6
1442	   xmss-sha2-16-192    2021/04/xmldsig-more#xmss-sha2-16-192  2.2.6
1443	   xmss-sha2-16-256    2021/04/xmldsig-more#xmss-sha2-16-256  2.2.6
1444	   xmss-sha2-16-512    2021/04/xmldsig-more#xmss-sha2-16-512  2.2.6
1445	   xmss-sha2-20-192    2021/04/xmldsig-more#xmss-sha2-20-192  2.2.6
1446	   xmss-sha2-20-256    2021/04/xmldsig-more#xmss-sha2-20-256  2.2.6
1447	   xmss-sha2-20-512    2021/04/xmldsig-more#xmss-sha2-20-512  2.2.6
1448	   xmss-shake-10-256   2021/04/xmldsig-more#xmss-shake-10-256 2.2.6
1449	   xmss-shake-10-512   2021/04/xmldsig-more#xmss-shake-10-512 2.2.6
1450	   xmss-shake-16-256   2021/04/xmldsig-more#xmss-shake-16-256 2.2.6
1451	   xmss-shake-16-512   2021/04/xmldsig-more#xmss-shake-16-512 2.2.6
1452	   xmss-shake-20-256   2021/04/xmldsig-more#xmss-shake-20-256 2.2.6
1453	   xmss-shake-20-512   2021/04/xmldsig-more#xmss-shake-20-512 2.2.6
1454	   xmss-shake256-10-192 2021/04/xmldsig-more#xmss-shake256-10-192
1455	                                                              2.2.6
1456	   xmss-shake256-10-256 2021/04/xmldsig-more#xmss-shake256-10-256
1457	                                                              2.2.6
1458	   xmss-shake256-16-192 2021/04/xmldsig-more#xmss-shake256-16-192
1459	                                                              2.2.6
1460	   xmss-shake256-16-256 2021/04/xmldsig-more#xmss-shake256-16-256
1461	                                                              2.2.6
1462	   xmss-shake256-20-192 2021/04/xmldsig-more#xmss-shake256-20-192
1463	                                                              2.2.6
1464	   xmss-shake256-20-256 2021/04/xmldsig-more#xmss-shake256-20-256
1465	                                                              2.2.6

1467	   xmssmt-sha2-20-2-192 2021/04/xmldsig-more#xmssmt-sha2-20-2-192
1468	                                                              2.2.6
1469	   xmssmt-sha2-20-2-256 2021/04/xmldsig-more#xmssmt-sha2-20-2-256
1470	                                                              2.2.6
1471	   xmssmt-sha2-20-2-256 2021/04/xmldsig-more#xmssmt-sha2-20-2-512
1472	                                                              2.2.6
1473	   xmssmt-sha2-20-4-192 2021/04/xmldsig-more#xmssmt-sha2-20-4-192
1474	                                                              2.2.6
1475	   xmssmt-sha2-20-4-256 2021/04/xmldsig-more#xmssmt-sha2-20-4-256
1476	                                                              2.2.6
1477	   xmssmt-sha2-20-4-256 2021/04/xmldsig-more#xmssmt-sha2-20-4-512
1478	                                                              2.2.6
1479	   xmssmt-sha2-40-2-192 2021/04/xmldsig-more#xmssmt-sha2-40-2-192
1480	                                                              2.2.6
1481	   xmssmt-sha2-40-2-256 2021/04/xmldsig-more#xmssmt-sha2-40-2-256
1482	                                                              2.2.6
1483	   xmssmt-sha2-40-2-256 2021/04/xmldsig-more#xmssmt-sha2-40-2-512
1484	                                                              2.2.6
1485	   xmssmt-sha2-40-4-192 2021/04/xmldsig-more#xmssmt-sha2-40-4-192
1486	                                                              2.2.6
1487	   xmssmt-sha2-40-4-256 2021/04/xmldsig-more#xmssmt-sha2-40-4-256
1488	                                                              2.2.6
1489	   xmssmt-sha2-40-4-256 2021/04/xmldsig-more#xmssmt-sha2-40-4-512
1490	                                                              2.2.6
1491	   xmssmt-sha2-40-8-192 2021/04/xmldsig-more#xmssmt-sha2-40-8-192
1492	                                                              2.2.6
1493	   xmssmt-sha2-40-8-256 2021/04/xmldsig-more#xmssmt-sha2-40-8-256
1494	                                                              2.2.6
1495	   xmssmt-sha2-40-8-256 2021/04/xmldsig-more#xmssmt-sha2-40-8-512
1496	                                                              2.2.6

1498	   xmssmt-sha2-60-3-192 2021/04/xmldsig-more#xmssmt-sha2-60-3-192
1499	                                                              2.2.6
1500	   xmssmt-sha2-60-3-256 2021/04/xmldsig-more#xmssmt-sha2-60-3-256
1501	                                                              2.2.6
1502	   xmssmt-sha2-60-3-256 2021/04/xmldsig-more#xmssmt-sha2-60-3-512
1503	                                                              2.2.6
1504	   xmssmt-sha2-60-6-192 2021/04/xmldsig-more#xmssmt-sha2-60-6-192
1505	                                                              2.2.6
1506	   xmssmt-sha2-60-6-256 2021/04/xmldsig-more#xmssmt-sha2-60-6-256
1507	                                                              2.2.6
1508	   xmssmt-sha2-60-6-256 2021/04/xmldsig-more#xmssmt-sha2-60-6-512
1509	                                                              2.2.6
1510	   xmssmt-sha2-60-12-192 2021/04/xmldsig-more#xmssmt-sha2-60-12-192
1511	                                                              2.2.6
1512	   xmssmt-sha2-60-12-256 2021/04/xmldsig-more#xmssmt-sha2-60-12-256
1513	                                                              2.2.6
1514	   xmssmt-sha2-60-12-256 2021/04/xmldsig-more#xmssmt-sha2-60-12-512
1515	                                                              2.2.6

1517	   xmssmt-shake-20-2-256 2021/04/xmldsig-more#xmssmt-shake-20-2-256
1518	                                                              2.2.6
1519	   xmssmt-shake-20-2-512 2021/04/xmldsig-more#xmssmt-shake-20-2-512
1520	                                                              2.2.6
1521	   xmssmt-shake-20-4-256 2021/04/xmldsig-more#xmssmt-shake-20-4-256
1522	                                                              2.2.6
1523	   xmssmt-shake-20-4-512 2021/04/xmldsig-more#xmssmt-shake-20-4-512
1524	                                                              2.2.6
1525	   xmssmt-shake-40-2-256 2021/04/xmldsig-more#xmssmt-shake-40-2-256
1526	                                                              2.2.6
1527	   xmssmt-shake-40-2-512 2021/04/xmldsig-more#xmssmt-shake-40-2-512
1528	                                                              2.2.6
1529	   xmssmt-shake-40-4-256 2021/04/xmldsig-more#xmssmt-shake-40-4-256
1530	                                                              2.2.6
1531	   xmssmt-shake-40-4-512 2021/04/xmldsig-more#xmssmt-shake-40-4-512
1532	                                                              2.2.6
1533	   xmssmt-shake-40-8-256 2021/04/xmldsig-more#xmssmt-shake-40-8-256
1534	                                                              2.2.6
1535	   xmssmt-shake-40-8-512 2021/04/xmldsig-more#xmssmt-shake-40-8-512
1536	                                                              2.2.6
1537	   xmssmt-shake-60-3-256 2021/04/xmldsig-more#xmssmt-shake-60-3-256
1538	                                                              2.2.6
1539	   xmssmt-shake-60-3-512 2021/04/xmldsig-more#xmssmt-shake-60-3-512
1540	                                                              2.2.6
1541	   xmssmt-shake-60-6-256 2021/04/xmldsig-more#xmssmt-shake-60-6-256
1542	                                                              2.2.6
1543	   xmssmt-shake-60-6-512 2021/04/xmldsig-more#xmssmt-shake-60-6-512
1544	                                                              2.2.6

1546	   xmssmt-shake-60-12-256 2021/04/xmldsig-more#xmssmt-shake-20-12-256
1547	                                                              2.2.6
1548	   xmssmt-shake-60-12-512 2021/04/xmldsig-more#xmssmt-shake-20-12-512
1549	                                                              2.2.6

1551	   xmssmt-shake256-20-2-192
1552	                2021/04/xmldsig-more#xmssmt-shake256-20-2-192 2.2.6
1553	   xmssmt-shake256-20-2-256
1554	                2021/04/xmldsig-more#xmssmt-shake256-20-2-256 2.2.6
1555	   xmssmt-shake256-20-4-192
1556	                2021/04/xmldsig-more#xmssmt-shake256-20-4-192 2.2.6
1557	   xmssmt-shake256-20-4-256
1558	                2021/04/xmldsig-more#xmssmt-shake256-20-4-256 2.2.6
1559	   xmssmt-shake256-40-2-192
1560	                2021/04/xmldsig-more#xmssmt-shake256-40-2-192 2.2.6
1561	   xmssmt-shake256-40-2-256
1562	                2021/04/xmldsig-more#xmssmt-shake256-40-2-256 2.2.6
1563	   xmssmt-shake256-40-4-192
1564	                2021/04/xmldsig-more#xmssmt-shake256-40-4-192 2.2.6
1565	   xmssmt-shake256-40-4-256
1566	                2021/04/xmldsig-more#xmssmt-shake256-40-4-256 2.2.6
1567	   xmssmt-shake256-40-8-192
1568	                2021/04/xmldsig-more#xmssmt-shake256-40-8-192 2.2.6
1569	   xmssmt-shake256-40-8-256
1570	                2021/04/xmldsig-more#xmssmt-shake256-40-8-256 2.2.6
1571	   xmssmt-shake256-60-3-192
1572	                2021/04/xmldsig-more#xmssmt-shake256-60-3-192 2.2.6
1573	   xmssmt-shake256-60-3-256
1574	                2021/04/xmldsig-more#xmssmt-shake256-60-3-256 2.2.6
1575	   xmssmt-shake256-60-6-192
1576	                2021/04/xmldsig-more#xmssmt-shake256-60-6-192 2.2.6
1577	   xmssmt-shake256-60-6-256
1578	                2021/04/xmldsig-more#xmssmt-shake256-60-6-256 2.2.6
1579	   xmssmt-shake256-60-12-192
1580	               2021/04/xmldsig-more#xmssmt-shake256-60-12-192 2.2.6
1581	   xmssmt-shake256-60-12-256
1582	               2021/04/xmldsig-more#xmssmt-shake256-60-12-256 2.2.6

1584	   xptr                2001/04/xmldsig-more#xptr              2.5.1
1585	   ---------           ----                                --------
1586	    Fragment            URI                                  Sec/Doc

1588	   The initial "http://www.w3.org/" part of the URI is not included
1589	   above.

1591	4.2 Index by URI

1593	   The initial "http://www.w3.org/" part of the URI is not included
1594	   below. "{Bad}" indicates a Bad value that was accidentally included
1595	   in [RFC6931]. Implementations SHOULD only generate the correct URI
1596	   but SHOULD understand both the correct and erroneous URI. See also
1597	   Appendix B.

1599	   URI                                 Sec/Doc       Type
1600	   ----                                --------     ------
1601	   2000/09/xmldsig#base64              [RFC3275]    Transform
1602	   2000/09/xmldsig#DSAKeyValue         [RFC3275]    Retrieval type
1603	   2000/09/xmldsig#dsa-sha1            [RFC3275]    SignatureMethod
1604	   2000/09/xmldsig#enveloped-signature [RFC3275]    Transform
1605	   2000/09/xmldsig#hmac-sha1           [RFC3275]    SignatureMethod
1606	   2000/09/xmldsig#MgmtData            [RFC3275]    Retrieval type
1607	   2000/09/xmldsig#minimal                2.4       Canonicalization
1608	   2000/09/xmldsig#PGPData             [RFC3275]    Retrieval type
1609	   2000/09/xmldsig#rawX509Certificate  [RFC3275]    Retrieval type
1610	   2000/09/xmldsig#rsa-sha1            [RFC3275]    SignatureMethod
1611	   2000/09/xmldsig#RSAKeyValue         [RFC3275]    Retrieval type
1612	   2000/09/xmldsig#sha1                [RFC3275]    DigestAlgorithm
1613	   2000/09/xmldsig#SPKIData            [RFC3275]    Retrieval type
1614	   2000/09/xmldsig#X509Data            [RFC3275]    Retrieval type

1616	   2001/04/xmldsig-more#arcfour           2.6.1     EncryptionMethod
1617	   2001/04/xmldsig-more#camellia128-cbc   2.6.2     EncryptionMethod
1618	   2001/04/xmldsig-more#camellia192-cbc   2.6.2     EncryptionMethod
1619	   2001/04/xmldsig-more#camellia256-cbc   2.6.2     EncryptionMethod
1620	   2001/04/xmldsig-more#ecdsa-sha1        2.3.6     SignatureMethod
1621	   2001/04/xmldsig-more#ecdsa-sha224      2.3.6     SignatureMethod
1622	   2001/04/xmldsig-more#ecdsa-sha256      2.3.6     SignatureMethod
1623	   2001/04/xmldsig-more#ecdsa-sha384      2.3.6     SignatureMethod
1624	   2001/04/xmldsig-more#ecdsa-sha512      2.3.6     SignatureMethod
1625	   2001/04/xmldsig-more#esign-sha1        2.3.7     SignatureMethod
1626	   2001/04/xmldsig-more#esign-sha224      2.3.7     SignatureMethod
1627	   2001/04/xmldsig-more#esign-sha256      2.3.7     SignatureMethod
1628	   2001/04/xmldsig-more#esign-sha384      2.3.7     SignatureMethod
1629	   2001/04/xmldsig-more#esign-sha512      2.3.7     SignatureMethod
1630	   2001/04/xmldsig-more#hmac-md5          2.2.1     SignatureMethod
1631	   2001/04/xmldsig-more#hmac-ripemd160    2.2.3     SignatureMethod
1632	   2001/04/xmldsig-more#hmac-sha224       2.2.2     SignatureMethod
1633	   2001/04/xmldsig-more#hmac-sha256       2.2.2     SignatureMethod
1634	   2001/04/xmldsig-more#hmac-sha384       2.2.2     SignatureMethod
1635	   2001/04/xmldsig-more#hmac-sha512       2.2.2     SignatureMethod
1636	   2001/04/xmldsig-more#KeyName           3.2       Retrieval type
1637	   2001/04/xmldsig-more#KeyValue          3.2       Retrieval type
1638	   2001/04/xmldsig-more#kw-camellia128    2.6.3     EncryptionMethod
1639	   2001/04/xmldsig-more#kw-camellia192    2.6.3     EncryptionMethod
1640	   2001/04/xmldsig-more#kw-camellia256    2.6.3     EncryptionMethod
1641	   2001/04/xmldsig-more#md5               2.1.1     DigestAlgorithm
1642	   2001/04/xmldsig-more#PKCS7signedData   3.2       Retrieval type
1643	   2001/04/xmldsig-more#psec-kem          2.6.4     EncryptionMethod
1644	   2001/04/xmldsig-more#rawPGPKeyPacket   3.2       Retrieval type
1645	   2001/04/xmldsig-more#rawPKCS7signedData 3.2      Retrieval type
1646	   2001/04/xmldsig-more#rawSPKISexp       3.2       Retrieval type
1647	   2001/04/xmldsig-more#rawX509CRL        3.2       Retrieval type
1648	   2001/04/xmldsig-more#RetrievalMethod   3.2       Retrieval type
1649	   2001/04/xmldsig-more#rsa-md5           2.3.1     SignatureMethod
1650	   2001/04/xmldsig-more#rsa-sha224        2.3.11    SignatureMethod
1651	   2001/04/xmldsig-more#rsa-sha256        2.3.2     SignatureMethod
1652	   2001/04/xmldsig-more#rsa-sha384        2.3.3     SignatureMethod
1653	   2001/04/xmldsig-more#rsa-sha512        2.3.4     SignatureMethod
1654	   2001/04/xmldsig-more#rsa-ripemd160     2.3.5     SignatureMethod
1655	   2001/04/xmldsig-more#sha224            2.1.2     DigestAlgorithm
1656	   2001/04/xmldsig-more#sha384            2.1.3     DigestAlgorithm
1657	   2001/04/xmldsig-more#xptr              2.5.1     Transform
1658	   2001/04/xmldsig-more#PKCS7signedData   3.1       KeyInfo child

1660	   2001/04/xmlenc#aes128-cbc          [XMLENC11]    EncryptionMethod
1661	   2001/04/xmlenc#aes192-cbc          [XMLENC11]    EncryptionMethod
1662	   2001/04/xmlenc#aes256-cbc          [XMLENC11]    EncryptionMethod
1663	   2001/04/xmlenc#dh                  [XMLENC11]    AgreementMethod
1664	   2001/04/xmlenc#kw-aes128           [XMLENC11]    EncryptionMethod
1665	   2001/04/xmlenc#kw-aes192           [XMLENC11]    EncryptionMethod
1666	   2001/04/xmlenc#kw-aes256           [XMLENC11]    EncryptionMethod
1667	   2001/04/xmlenc#ripemd160           [XMLENC11]    DigestAlgorithm
1668	   2001/04/xmlenc#rsa-1_5             [XMLENC11]    EncryptionMethod
1669	   2001/04/xmlenc#rsa-oaep-mgf1p      [XMLENC11]    EncryptionMethod
1670	   2001/04/xmlenc#sha256              [XMLENC11]    DigestAlgorithm
1671	   2001/04/xmlenc#sha512              [XMLENC11]    DigestAlgorithm
1672	   2001/04/xmlenc#tripledes-cbc       [XMLENC11]    EncryptionMethod

1674	   2002/06/xmldsig-filter2               [XPATH]    Transform

1676	   2002/07/decrypt#XML                 [DECRYPT]    Transform
1677	   2002/07/decrypt#Binary              [DECRYPT]    Transform

1679	   2006/12/xmlc12n11#   {Bad}          [CANON11]    Canonicalization
1680	   2006/12/xmlc14n11#                  [CANON11]    Canonicalization
1681	   2006/12/xmlc14n11#WithComments      [CANON11]    Canonicalization

1683	   2007/05/xmldsig-more#ecdsa-ripemd160   2.3.6     SignatureMethod
1684	   2007/05/xmldsig-more#ecdsa-whirlpool   2.3.5     SignatureMethod
1685	   2007/05/xmldsig-more#kw-seed128        2.6.6     EncryptionMethod
1686	   2007/05/xmldsig-more#md2-rsa-MGF1      2.3.10    SignatureMethod
1687	   2007/05/xmldsig-more#md5-rsa-MGF1      2.3.10    SignatureMethod
1688	   2007/05/xmldsig-more#MGF1              2.3.9     SignatureMethod
1689	   2007/05/xmldsig-more#ripemd128-rsa-MGF1 2.3.10   SignatureMethod
1690	   2007/05/xmldsig-more#ripemd160-rsa-MGF1 2.3.10   SignatureMethod
1691	   2007/05/xmldsig-more#rsa-pss           2.3.9     SignatureMethod
1692	   2007/05/xmldsig-more#rsa-sha224 {Bad}  2.3.11    SignatureMethod
1693	   2007/05/xmldsig-more#rsa-whirlpool     2.3.5     SignatureMethod
1694	   2007/05/xmldsig-more#seed128-cbc       2.6.5     EncryptionMethod
1695	   2007/05/xmldsig-more#sha1-rsa-MGF1     2.3.10    SignatureMethod
1696	   2007/05/xmldsig-more#sha224-rsa-MGF1   2.3.10    SignatureMethod
1697	   2007/05/xmldsig-more#sha256-rsa-MGF1   2.3.10    SignatureMethod
1698	   2007/05/xmldsig-more#sha3-224          2.1.5     DigestAlgorithm
1699	   2007/05/xmldsig-more#sha3-224-rsa-MGF1 2.3.10    SignatureMethod
1700	   2007/05/xmldsig-more#sha3-256          2.1.5     DigestAlgorithm
1701	   2007/05/xmldsig-more#sha3-256-rsa-MGF1 2.3.10    SignatureMethod
1702	   2007/05/xmldsig-more#sha3-384          2.1.5     DigestAlgorithm
1703	   2007/05/xmldsig-more#sha3-384-rsa-MGF1 2.3.10    SignatureMethod
1704	   2007/05/xmldsig-more#sha3-512          2.1.5     DigestAlgorithm
1705	   2007/05/xmldsig-more#sha3-512-rsa-MGF1 2.3.10    SignatureMethod
1706	   2007/05/xmldsig-more#sha384-rsa-MGF1   2.3.10    SignatureMethod
1707	   2007/05/xmldsig-more#sha512-rsa-MGF1   2.3.10    SignatureMethod
1708	   2007/05/xmldsig-more#whirlpool         2.1.4     DigestAlgorithm
1709	   2007/05/xmldsig-more#whirlpool-rsa-MGF1 2.3.10   SignatureMethod
1710	   2009/xmlenc11#kw-aes-128-pad       [XMLENC11]    EncryptionMethod
1711	   2009/xmlenc11#kw-aes-192-pad       [XMLENC11]    EncryptionMethod
1712	   2009/xmlenc11#kw-aes-256-pad       [XMLENC11]    EncryptionMethod

1714	   2009/xmldsig11#dsa-sha256         [XMLDSIG11]    SignatureMethod
1715	   2009/xmldsig11#ECKeyValue         [XMLDSIG11]    Retrieval type
1716	   2009/xmldsig11#DEREncodedKeyValue [XMLDSIG11]    Retrieval type

1718	   2009/xmlenc11#aes128-gcm           [XMLENC11]    EncryptionMethod
1719	   2009/xmlenc11#aes192-gcm           [XMLENC11]    EncryptionMethod
1720	   2009/xmlenc11#aes256-gcm           [XMLENC11]    EncryptionMethod
1721	   2009/xmlenc11#ConcatKDF            [XMLENC11]    EncryptionMethod
1722	   2009/xmlenc11#mgf1sha1             [XMLENC11]    SignatureMethod
1723	   2009/xmlenc11#mgf1sha224           [XMLENC11]    SignatureMethod
1724	   2009/xmlenc11#mgf1sha256           [XMLENC11]    SignatureMethod
1725	   2009/xmlenc11#mgf1sha384           [XMLENC11]    SignatureMethod
1726	   2009/xmlenc11#mgf1sha512           [XMLENC11]    SignatureMethod
1727	   2009/xmlenc11#pbkdf2               [XMLENC11]    EncryptionMethod
1728	   2009/xmlenc11#rsa-oaep             [XMLENC11]    EncryptionMethod
1729	   2009/xmlenc11#ECDH-ES              [XMLENC11]    EncryptionMethod
1730	   2009/xmlenc11#dh-es                [XMLENC11]    EncryptionMethod

1732	   2010/xmlsec-ghc#generic-hybrid      [GENERIC]    Generic Hybrid
1733	   2010/xmlsec-ghc#rsaes-kem           [GENERIC]    Generic Hybrid
1734	   2010/xmlsec-ghc#ecies-kem           [GENERIC]    Generic Hybrid

1736	   2021/04/xmldsig-more#chacha20           2.6.7    EncryptionMethod
1737	   2021/04/xmldsig-more#chacha20poly1305   2.6.8    EncryptionMethod
1738	   2021/04/xmldsig-more#ecdsa-sha3-224     2.3.6    SignatureMethod
1739	   2021/04/xmldsig-more#ecdsa-sha3-256     2.3.6    SignatureMethod
1740	   2021/04/xmldsig-more#ecdsa-sha3-384     2.3.6    SignatureMethod
1741	   2021/04/xmldsig-more#ecdsa-sha3-512     2.3.6    SignatureMethod
1742	   2021/04/xmldsig-more#eddsa-ed25519ph   2.3.12    SignatureMethod
1743	   2021/04/xmldsig-more#eddsa-ed25519ctx  2.3.12    SignatureMethod
1744	   2021/04/xmldsig-more#eddsa-ed25519     2.3.12    SignatureMethod
1745	   2021/04/xmldsig-more#eddsa-ed448       2.3.12    SignatureMethod
1746	   2021/04/xmldsig-more#eddsa-ed448ph     2.3.12    SignatureMethod
1747	   2021/04/xmldsig-more#hkdf               2.7.2    AgreementMethod
1748	   2021/04/xmldsig-more#po1y305            2.2.4    SignatureMethod
1749	   2021/04/xmldsig-more#siphash-2-4        2.2.5    SignatureMethod
1750	   2021/04/xmldsig-more#x25519             2.7.1    AgreementMethod
1751	   2021/04/xmldsig-more#x448               2.7.1    AgreementMethod

1753	   2021/04/xmldsig-more#xmss-sha2-10-192   2.2.6    SignatureMethod
1754	   2021/04/xmldsig-more#xmss-sha2-10-256   2.2.6    SignatureMethod
1755	   2021/04/xmldsig-more#xmss-sha2-10-512   2.2.6    SignatureMethod
1756	   2021/04/xmldsig-more#xmss-sha2-16-192   2.2.6    SignatureMethod
1757	   2021/04/xmldsig-more#xmss-sha2-16-256   2.2.6    SignatureMethod
1758	   2021/04/xmldsig-more#xmss-sha2-16-512   2.2.6    SignatureMethod
1759	   2021/04/xmldsig-more#xmss-sha2-20-192   2.2.6    SignatureMethod
1760	   2021/04/xmldsig-more#xmss-sha2-20-256   2.2.6    SignatureMethod
1761	   2021/04/xmldsig-more#xmss-sha2-20-512   2.2.6    SignatureMethod
1762	   2021/04/xmldsig-more#xmss-shake-10-256  2.2.6    SignatureMethod
1763	   2021/04/xmldsig-more#xmss-shake-10-512  2.2.6    SignatureMethod
1764	   2021/04/xmldsig-more#xmss-shake-16-256  2.2.6    SignatureMethod
1765	   2021/04/xmldsig-more#xmss-shake-16-512  2.2.6    SignatureMethod
1766	   2021/04/xmldsig-more#xmss-shake-20-256  2.2.6    SignatureMethod
1767	   2021/04/xmldsig-more#xmss-shake-20-512  2.2.6    SignatureMethod
1768	   2021/04/xmldsig-more#xmss-shake256-10-192 2.2.6  SignatureMethod
1769	   2021/04/xmldsig-more#xmss-shake256-10-256 2.2.6  SignatureMethod
1770	   2021/04/xmldsig-more#xmss-shake256-16-192 2.2.6  SignatureMethod
1771	   2021/04/xmldsig-more#xmss-shake256-16-256 2.2.6  SignatureMethod
1772	   2021/04/xmldsig-more#xmss-shake256-20-192 2.2.6  SignatureMethod
1773	   2021/04/xmldsig-more#xmss-shake256-20-256 2.2.6  SignatureMethod

1775	   2021/04/xmldsig-more#xmssmt-sha2-20-2-192 2.2.6  SignatureMethod
1776	   2021/04/xmldsig-more#xmssmt-sha2-20-2-256 2.2.6  SignatureMethod
1777	   2021/04/xmldsig-more#xmssmt-sha2-20-2-512 2.2.6  SignatureMethod
1778	   2021/04/xmldsig-more#xmssmt-sha2-20-4-192 2.2.6  SignatureMethod
1779	   2021/04/xmldsig-more#xmssmt-sha2-20-4-256 2.2.6  SignatureMethod
1780	   2021/04/xmldsig-more#xmssmt-sha2-20-4-512 2.2.6  SignatureMethod
1781	   2021/04/xmldsig-more#xmssmt-sha2-40-2-192 2.2.6  SignatureMethod
1782	   2021/04/xmldsig-more#xmssmt-sha2-40-2-256 2.2.6  SignatureMethod
1783	   2021/04/xmldsig-more#xmssmt-sha2-40-2-512 2.2.6  SignatureMethod
1784	   2021/04/xmldsig-more#xmssmt-sha2-40-4-192 2.2.6  SignatureMethod
1785	   2021/04/xmldsig-more#xmssmt-sha2-40-4-256 2.2.6  SignatureMethod
1786	   2021/04/xmldsig-more#xmssmt-sha2-40-4-512 2.2.6  SignatureMethod
1787	   2021/04/xmldsig-more#xmssmt-sha2-40-8-192 2.2.6  SignatureMethod
1788	   2021/04/xmldsig-more#xmssmt-sha2-40-8-256 2.2.6  SignatureMethod
1789	   2021/04/xmldsig-more#xmssmt-sha2-40-8-512 2.2.6  SignatureMethod
1790	   2021/04/xmldsig-more#xmssmt-sha2-60-3-192 2.2.6  SignatureMethod
1791	   2021/04/xmldsig-more#xmssmt-sha2-60-3-256 2.2.6  SignatureMethod
1792	   2021/04/xmldsig-more#xmssmt-sha2-60-3-512 2.2.6  SignatureMethod
1793	   2021/04/xmldsig-more#xmssmt-sha2-60-6-192 2.2.6  SignatureMethod
1794	   2021/04/xmldsig-more#xmssmt-sha2-60-6-256 2.2.6  SignatureMethod
1795	   2021/04/xmldsig-more#xmssmt-sha2-60-6-512 2.2.6  SignatureMethod
1796	   2021/04/xmldsig-more#xmssmt-sha2-60-12-192 2.2.6 SignatureMethod
1797	   2021/04/xmldsig-more#xmssmt-sha2-60-12-256 2.2.6 SignatureMethod
1798	   2021/04/xmldsig-more#xmssmt-sha2-60-12-512 2.2.6 SignatureMethod

1800	   2021/04/xmldsig-more#xmssmt-shake-20-2-256 2.2.6 SignatureMethod
1801	   2021/04/xmldsig-more#xmssmt-shake-20-2-512 2.2.6 SignatureMethod
1802	   2021/04/xmldsig-more#xmssmt-shake-20-4-256 2.2.6 SignatureMethod
1803	   2021/04/xmldsig-more#xmssmt-shake-20-4-512 2.2.6 SignatureMethod
1804	   2021/04/xmldsig-more#xmssmt-shake-40-2-256 2.2.6 SignatureMethod
1805	   2021/04/xmldsig-more#xmssmt-shake-40-2-512 2.2.6 SignatureMethod
1806	   2021/04/xmldsig-more#xmssmt-shake-40-4-256 2.2.6 SignatureMethod
1807	   2021/04/xmldsig-more#xmssmt-shake-40-4-512 2.2.6 SignatureMethod
1808	   2021/04/xmldsig-more#xmssmt-shake-40-8-256 2.2.6 SignatureMethod
1809	   2021/04/xmldsig-more#xmssmt-shake-40-8-512 2.2.6 SignatureMethod
1810	   2021/04/xmldsig-more#xmssmt-shake-60-3-256 2.2.6 SignatureMethod
1811	   2021/04/xmldsig-more#xmssmt-shake-60-3-512 2.2.6 SignatureMethod
1812	   2021/04/xmldsig-more#xmssmt-shake-60-6-256 2.2.6 SignatureMethod
1813	   2021/04/xmldsig-more#xmssmt-shake-60-6-512 2.2.6 SignatureMethod
1814	   2021/04/xmldsig-more#xmssmt-shake-60-12-256 2.2.6 SignatureMethod
1815	   2021/04/xmldsig-more#xmssmt-shake-60-12-512 2.2.6 SignatureMethod

1817	   2021/04/xmldsig-more#xmssmt-shake256-20-2-192
1818	                                           2.2.6    SignatureMethod
1819	   2021/04/xmldsig-more#xmssmt-shake256-20-2-256
1820	                                           2.2.6    SignatureMethod
1821	   2021/04/xmldsig-more#xmssmt-shake256-20-4-192
1822	                                           2.2.6    SignatureMethod
1823	   2021/04/xmldsig-more#xmssmt-shake256-20-4-256
1824	                                           2.2.6    SignatureMethod
1825	   2021/04/xmldsig-more#xmssmt-shake256-40-2-192
1826	                                           2.2.6    SignatureMethod
1827	   2021/04/xmldsig-more#xmssmt-shake256-40-2-256
1828	                                           2.2.6    SignatureMethod
1829	   2021/04/xmldsig-more#xmssmt-shake256-40-4-192
1830	                                           2.2.6    SignatureMethod
1831	   2021/04/xmldsig-more#xmssmt-shake256-40-4-256
1832	                                           2.2.6    SignatureMethod
1833	   2021/04/xmldsig-more#xmssmt-shake256-40-8-192
1834	                                           2.2.6    SignatureMethod
1835	   2021/04/xmldsig-more#xmssmt-shake256-40-8-256
1836	                                           2.2.6    SignatureMethod
1837	   2021/04/xmldsig-more#xmssmt-shake256-60-3-192
1838	                                           2.2.6    SignatureMethod
1839	   2021/04/xmldsig-more#xmssmt-shake256-60-3-256
1840	                                           2.2.6    SignatureMethod

1842	   2021/04/xmldsig-more#xmssmt-shake256-60-6-192
1843	                                           2.2.6    SignatureMethod
1844	   2021/04/xmldsig-more#xmssmt-shake256-60-6-256
1845	                                           2.2.6    SignatureMethod
1846	   2021/04/xmldsig-more#xmssmt-shake256-60-12-192
1847	                                           2.2.6    SignatureMethod
1848	   2021/04/xmldsig-more#xmssmt-shake256-60-12-256
1849	                                           2.2.6    SignatureMethod

1851	   TR/1999/REC-xpath-19991116            [XPATH]    Transform
1852	   TR/1999/REC-xslt-19991116              [XSLT]    Transform
1853	   TR/2001/06/xml-exc-c14n#             [XCANON]    Canonicalization
1854	   TR/2001/06/xml-exc-c14n#WithComments [XCANON]    Canonicalization
1855	   TR/2001/REC-xml-c14n-20010315       [CANON10]    Canonicalization
1856	   TR/2001/REC-xml-c14n-20010315#WithComments
1857	                                       [CANON10]    Canonicalization
1858	   TR/2001/REC-xmlschema-1-20010502     [Schema]    Transform
1859	   ----                                --------     ------
1860	    URI                                 Sec/Doc      Type

1862	   The initial "http://www.w3.org/" part of the URI is not included
1863	   above. "{Bad}" indicates a Bad value that was accidentally included
1864	   in [RFC6931]. Implementations SHOULD only generate the correct URI
1865	   but SHOULD understand both the correct and erroneous URI. See also
1866	   Appendix B.

1868	5. Allocation Considerations

1870	   W3C and IANA allocation considerations are given below.

1872	5.1 W3C Allocation Considerations

1874	   As it is easy for people to construct their own unique URIs [RFC3986]
1875	   and, if appropriate, to obtain a URI from the W3C, additional URI
1876	   specification under the following XMLSEC URI prefixes is prohibited
1877	   as shown:

1879	       URI                                      Status
1880	      ---------------------------------------  ----------------------
1881	      http://www.w3.org/2000/09/xmldsig#       Frozen by W3C.
1882	      http://www.w3.org/2001/04/xmldsig-more#  Frozen with RFC 4051.
1883	      http://www.w3.org/2007/05/xmldsig-more#  Frozen with [RFC6931].

1885	   The W3C has assigned "http://www.w3.org/2021/04/xmldsig-more#" for
1886	   additional new URIs specified in this document.

1888	   There are also occurrences in this document of
1889	   "http://www.w3.org/2010/xmlsec-ghc#" due to the inclusion of some
1890	   algorithms from [GENERIC] for convenience.

1892	   An "xmldsig-more" URI does not imply any official W3C or IETF status
1893	   for these algorithms or identifiers nor does it imply that they are
1894	   only useful in digital signatures.  Currently, dereferencing such
1895	   URIs may or may not produce a temporary placeholder document.
1896	   Permission to use these URI prefixes has been given by the W3C.

1898	5.2 IANA Considerations

1900	   IANA has established a registry entitled "XML Security URIs".  The
1901	   contents will be updated to correspond to Section 4.2 of this
1902	   document with each section number in the "Sec/Doc" column augmented
1903	   with a reference to this RFC (for example, "2.6.4" means "[this
1904	   document], Section 2.6.4"). All references to [RFC6931] in that
1905	   registry should be updated to [this document].

1907	   New entries, including new Types, will be added based on
1908	   Specification Required [RFC8126].  Criteria for the designated expert
1909	   for inclusion are (1) documentation sufficient for interoperability
1910	   of the algorithm or data type and the XML syntax for its
1911	   representation and use and (2) sufficient importance as normally
1912	   indicated by inclusion in (2a) an approved W3C Note, Proposed
1913	   Recommendation, or Recommendation or (2b) an approved IETF RFC.

1915	   Typically, the registry will reference a W3C or IETF document
1916	   specifying such XML syntax; that document will either contain a more
1917	   detailed description of the algorithm or data type or reference
1918	   another document with a more detailed description.

1920	6. Security Considerations

1922	   This RFC is concerned with documenting the URIs that designate
1923	   algorithms and some data types used in connection with XML security.
1924	   The security considerations vary widely with the particular
1925	   algorithms, and the general security considerations for XML security
1926	   are outside of the scope of this document but appear in [XMLDSIG11],
1927	   [XMLENC11], [CANON10], [CANON11], and [GENERIC].

1929	   [RFC6151] should be consulted before considering the use of MD5 as a
1930	   DigestMethod or the use of HMAC-MD5 or RSA-MD5 as a SignatureMethod.

1932	   See [RFC6194] for SHA-1 security considerations.

1934	   Additional security considerations are given in connection with the
1935	   description of some algorithms in the body of this document.

1937	   Implementers should be aware that cryptographic algorithms become
1938	   weaker with time.  As new cryptoanalysis techniques are developed and
1939	   computing performance improves, the work factor to break a particular
1940	   cryptographic algorithm will decrease.  Therefore, cryptographic
1941	   implementations should be modular, allowing new algorithms to be
1942	   readily inserted.  That is, implementers should be prepared for the
1943	   set of mandatory-to-implement algorithms for any particular use to
1944	   change over time. This is sometimes referred to as "algorithm
1945	   agility" [RFC7696].

1947	Acknowledgements

1949	   The contributions of the following, listed in alphabetic order, by
1950	   reporting errata against [RFC6931] or contributing to this document,
1951	   are gratefully acknowledged:

1953	      Roman Danyliw, Pim van der Eijk, Frederick Hirsch, Benjamin Kaduk,
1954	      Alexey Melnikov, Gayle Noble, Axel Puhlmann, Peter Yee, and Annie
1955	      Yousar.

1957	   The contributions of the following, listed in alphabetic order, to
1958	   [RFC6931], on which this document is based, are gratefully
1959	   acknowledged:

1961	      Benoit Claise, Adrian Farrel, Stephen Farrell, Ernst Giessmann,
1962	      Frederick Hirsch, Bjoern Hoehrmann, Russ Housley, Satoru Kanno,
1963	      Charlie Kaufman, Konrad Lanz, HwanJin Lee, Barry Leiba, Peter
1964	      Lipp, Subramanian Moonesamy, Thomas Roessler, Hanseong Ryu, Peter
1965	      Saint-Andre, and Sean Turner.

1967	   The following contributors to RFC 4051 are gratefully acknowledged:

1969	      Glenn Adams, Merlin Hughs, Gregor Karlinger, Brian LaMachia, Shiho
1970	      Moriai, Joseph Reagle, Russ Housley, and Joel Halpern.

1972	Appendix A: Changes from [RFC6931]

1974	   The following changes have been made in [RFC6931] to produce this
1975	   document.

1977	    1. Delete Appendix on Changes from RFC 4051, since they were already
1978	       included in [RFC6931], and remove reference to RFC 4051 and to
1979	       the one Errata against RFC 4051.

1981	    2. Fix three errata as follows: [Err3597], [Err3965], and [Err4004].
1982	       In cases where [RFC6931] had an erroneous URI, it is still
1983	       included in the indices and it is stated that implementations
1984	       SHOULD only generate the correct URI but SHOULD understand both
1985	       the correct and erroneous URI.

1987	    3. Added the following algorithms:

1989	          Section   Algorithm(s)
1990	          -------   ------------
1991	           2.2.4    Poly1305
1992	           2.2.5    SipHash-2-4
1993	           2.2.6    XMSS and XMSSMT
1994	           2.3.6    ECDSA with SHA3
1995	           2.3.12   Edwards-Curve Signatures
1996	           2.6.7    ChaCha20
1997	           2.6.8    ChaCha20+Poly1305
1998	           2.7.1    X25519
1999	           2.7.2    HKDF

2001	    4. Listed ECIES-KEM and RSAES-KEM in Section 2.6.4 so they are
2002	       easier to find even though the URI for them is specified in
2003	       [GENERIC].

2005	    5. Updated references for [GENERIC] and FIPS 186, added appropriate
2006	       references.

2008	    6. Addition of some XML examples.

2010	    7. Minor typo fixes and editorial changes.

2012	Appendix B: Bad URIs

2014	   [RFC6931] included two bad URIs as shown below. "{Bad}" in the
2015	   indexes (Sections 4.1 and 4.2) indicates such a bad value.
2016	   Implementations SHOULD only generate the correct URI but SHOULD
2017	   understand both the correct and erroneous URI.

2019	   2006/12/xmlc12n11#
2020	       Appears in the indices (Section 4.1 and 4.2] of [RFC6931] when it
2021	       should be "2006/12/xmlc14n11#" (i.e., the "12" inside "xmlc12n11"
2022	       should have been "14"). This is [Err3965] and is corrected in
2023	       this document.

2025	   2007/05/xmldsig-more#rsa-sha224
2026	       Appears in the indices (Section 4.1 and 4.2] of [RFC6931] when it
2027	       should be "2001/04/xmldsig-more#rsa-sha224". This is [Err4004]
2028	       and is corrected in this document.

2030	Appendix Z: Change History

2032	   RFC Editor Note: Please delete this Appendix before publication.

2034	-00 to -01 to -02 to -03 to -04 to -05 to -06 to -07 to -08

2036	   Bump up version and date to keep draft alive as a place where new
2037	   URIs can be accumulated. At some point in here, author address was
2038	   updated.

2040	-08 to -09 to -10

2042	   Update author affiliation and references.

2044	-10 to -11

2046	   Update author address.

2048	-11 to -12

2050	   Bump up version and date to keep draft alive.

2052	-12 to -13

2054	   Numerous editorial/typo fixes thanks to Gayle Noble who is added to
2055	   the acknowledgements section.

2057	-13 to -14

2059	   Numerous additional algorithms almost all as requested by Pim van der
2060	   Eijk who is added to the acknowledgements section. Update and add
2061	   references.

2063	-14 to -15

2065	   Add URLs for ECDSA with SHA3, SipHash-2-4, X25519, XMSS and XMSSMT.
2066	   Add RFC reference 5869 for HKDF but not yet added elsewhere in the
2067	   document.

2069	-15 to -16

2071	   Fix text for ChaCha20 to include the required Nonce and Counter
2072	   inputs. Add ChaCha20+Poly1305 AEAD algorithm. Add HKDF key derivation
2073	   function.

2075	-16 to -17

2077	   Mostly editorial fixes.

2079	-17 to -18
2080	   Resolve AD review comments. Globally replace "byte" with "octet".
2081	   Update reference to "US National Institute of Standards and
2082	   Technology, "SHA-3 WINNER", February 2013" to reference [FIPS202].

2084	-18 to -19

2086	   Resolve GENART review comments.

2088	-19 to -20 to -21

2090	   Minor Editorial improvements.

2092	-21 to -22

2094	   Fix typos.

2096	-22 to -23

2098	   Resolve IESG Discuss and Comments.

2100	-23 to -24

2102	   Minor fixes to 2.2.6 re XMSS & XMSSMT.

2104	-24 to -25

2106	   Add the X448 key agreement algorithm so 2.7.1 as approved by IESG and
2107	   sponsoring AD.

2109	-25 to -26

2111	   Fix typos in URL for X448.

2113	-26 to -27

2115	   Fix typos. Add more explanatory text and re-order URIs for XMSS and
2116	   XMSSMT. Add 512 bit XMSSMT versions.

2118	Normative References

2120	   [10118-3] - ISO, "Information technology -- Security techniques --
2121	         Hash-functions -- Part 3: Dedicated hash-functions", ISO/IEC
2122	         10118-3:2004, 2004.

2124	   [18033-2] - ISO, "Information technology -- Security techniques --
2125	         Encryption algorithms -- Part 3: Asymmetric ciphers", ISO/IEC
2126	         18033-2:2010, 2010.

2128	   [FIPS180-4] - US National Institute of Standards and Technology,
2129	         "Secure Hash Standard (SHS)", FIPS 180-4, March 2012,
2130	         <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf>.

2132	   [FIPS186-4] - US National Institute of Standards and Technology,
2133	         "Digital Signature Standard (DSS)", FIPS 186-4, July 2013,
2134	         <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>.

2136	   [FIPS202] - US National Institute of Standards and Technology, "SHA-3
2137	         Standard: Permutation-Based Hash and Extendable-Output
2138	         Functions", FIPS 202, August 2015,
2139	         <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf>.

2141	   [IEEEP1363a] - IEEE, "Standard Specifications for Public Key
2142	         Cryptography- Amendment 1: Additional Techniques", IEEE
2143	         1363a-2004, 2004.

2145	   [NIST800-208] - US National Institute of Standards and Technology,
2146	         "Recommendation for Stateful Hash-Based Signature Schemes",
2147	         NIST 800-208, Otober 202,
2148	         <https://csrc.nist.gov/publications/detail/sp/800-208/final>.

2150	   [RC4] - Schneier, B., "Applied Cryptography: Protocols, Algorithms,
2151	         and Source Code in C", Second Edition, John Wiley and Sons, New
2152	         York, NY, 1996.

2154	   [RFC1321] - Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
2155	         DOI 10.17487/RFC1321, April 1992, <https://www.rfc-
2156	         editor.org/info/rfc1321>.

2158	   [RFC2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
2159	         Hashing for Message Authentication", RFC 2104, DOI
2160	         10.17487/RFC2104, February 1997, <https://www.rfc-
2161	         editor.org/info/rfc2104>.

2163	   [RFC2119] - Bradner, S., "Key words for use in RFCs to Indicate
2164	         Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119,
2165	         March 1997, <https://www.rfc-editor.org/info/rfc2119>.

2167	   [RFC2315] - Kaliski, B., "PKCS #7: Cryptographic Message Syntax
2168	         Version 1.5", RFC 2315, DOI 10.17487/RFC2315, March 1998,
2169	         <https://www.rfc-editor.org/info/rfc2315>.

2171	   [RFC3275] - Eastlake 3rd, D., Reagle, J., and D. Solo, "(Extensible
2172	         Markup Language) XML-Signature Syntax and Processing", RFC
2173	         3275, DOI 10.17487/RFC3275, March 2002, <https://www.rfc-
2174	         editor.org/info/rfc3275>.

2176	   [RFC3394] - Schaad, J. and R. Housley, "Advanced Encryption Standard
2177	         (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394,
2178	         September 2002, <https://www.rfc-editor.org/info/rfc3394>.

2180	   [RFC3713] - Matsui, M., Nakajima, J., and S. Moriai, "A Description
2181	         of the Camellia Encryption Algorithm", RFC 3713, DOI
2182	         10.17487/RFC3713, April 2004, <https://www.rfc-
2183	         editor.org/info/rfc3713>.

2185	   [RFC3986] - Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
2186	         Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986,
2187	         DOI 10.17487/RFC3986, January 2005, <https://www.rfc-
2188	         editor.org/info/rfc3986>.

2190	   [RFC4050] - Blake-Wilson, S., Karlinger, G., Kobayashi, T., and Y.
2191	         Wang, "Using the Elliptic Curve Signature Algorithm (ECDSA) for
2192	         XML Digital Signatures", RFC 4050, DOI 10.17487/RFC4050, April
2193	         2005, <https://www.rfc-editor.org/info/rfc4050>.

2195	   [RFC4055] - Schaad, J., Kaliski, B., and R. Housley, "Additional
2196	         Algorithms and Identifiers for RSA Cryptography for use in the
2197	         Internet X.509 Public Key Infrastructure Certificate and
2198	         Certificate Revocation List (CRL) Profile", RFC 4055, DOI
2199	         10.17487/RFC4055, June 2005, <https://www.rfc-
2200	         editor.org/info/rfc4055>.

2202	   [RFC4269] - Lee, H., Lee, S., Yoon, J., Cheon, D., and J. Lee, "The
2203	         SEED Encryption Algorithm", RFC 4269, DOI 10.17487/RFC4269,
2204	         December 2005, <https://www.rfc-editor.org/info/rfc4269>.

2206	   [RFC4648] - Josefsson, S., "The Base16, Base32, and Base64 Data
2207	         Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
2208	         <https://www.rfc-editor.org/info/rfc4648>.

2210	   [RFC5869] - Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-
2211	         Expand Key Derivation Function (HKDF)", RFC 5869, DOI
2212	         10.17487/RFC5869, May 2010, <https://www.rfc-
2213	         editor.org/info/rfc5869>.

2215	   [RFC6234] - Eastlake 3rd, D. and T. Hansen, "US Secure Hash
2216	         Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI
2217	         10.17487/RFC6234, May 2011, <https://www.rfc-
2218	         editor.org/info/rfc6234>.

2220	   [RFC7748] - Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
2221	         for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016,
2222	         <https://www.rfc-editor.org/info/rfc7748>.

2224	   [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
2225	         "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC
2226	         8017, DOI 10.17487/RFC8017, November 2016, <https://www.rfc-
2227	         editor.org/info/rfc8017>.

2229	   [RFC8032] - Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
2230	         Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032,
2231	         January 2017, <https://www.rfc-editor.org/info/rfc8032>.

2233	   [RFC8126] - Cotton, M., Leiba, B., and T. Narten, "Guidelines for
2234	         Writing an IANA Considerations Section in RFCs", BCP 26, RFC
2235	         8126, DOI 10.17487/RFC8126, June 2017, <https://www.rfc-
2236	         editor.org/info/rfc8126>.

2238	   [RFC8174] - Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2239	         2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May
2240	         2017, <https://www.rfc-editor.org/info/rfc8174>.

2242	   [RFC8391] - Huelsing, A., Butin, D., Gazdag, S., Rijneveld, J., and
2243	         A. Mohaisen, "XMSS: eXtended Merkle Signature Scheme", RFC
2244	         8391, DOI 10.17487/RFC8391, May 2018, <https://www.rfc-
2245	         editor.org/info/rfc8391>.

2247	   [RFC8439] - Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
2248	         Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018,
2249	         <https://www.rfc-editor.org/info/rfc8439>.

2251	   [SipHash1] - Aumasson, J. and D. Bernstein, "SipHash: A Fast Short-
2252	         Input PRF", Progress in Cryptology - INDOCRYPT 2012, Lecture
2253	         Notes in Computer Science, vol. 7668, December 2012,
2254	         <https://doi.org/10.1007/978-3-642-34931-7_28>.

2256	   [X9.62] - American National Standards Institute, Accredited Standards
2257	         Committee X9, "Public Key Cryptography for the Financial
2258	         Services Industry: The Elliptic Curve Digital Signature
2259	         Algorithm (ECDSA)", ANSI X9.62:2005, 2005.

2261	   [XMLENC10] - Reagle, J. and D. Eastlake, "XML Encryption Syntax and
2262	         Processing", W3C Recommendation, 10 December 2002,
2263	         <https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/>.

2265	   [XMLENC11] - Eastlake, D., Reagle, J., Hirsch, F., and T. Roessler,
2266	         "XML Encryption Syntax and Processing Version 1.1", W3C
2267	         Proposed Recommendation, 11 April 2013,
2268	         <https://www.w3.org/TR/xmlenc-core1/>.

2270	   [XPointer] - Grosso, P., Maler, E., Marsh, J., and N. Walsh,
2271	         "XPointer Framework", W3C Recommendation, 25 March 2003,
2272	         <https://www.w3.org/TR/2003/ REC-xptr-framework-20030325/>.

2274	Informational References

2276	   [Camellia] - Aoki, K., Ichikawa, T., Matsui, M., Moriai, S.,
2277	         Nakajima, J., and T. Tokita, "Camellia: A 128-bit Block Cipher
2278	         Suitable for Multiple Platforms - Design and Analysis", in
2279	         Selected Areas in Cryptography, 7th Annual International
2280	         Workshop, SAC 2000, August 2000, Proceedings, Lecture Notes in
2281	         Computer Science 2012, pp. 39-56, Springer-Verlag, 2001.

2283	   [CANON10] - Boyer, J., "Canonical XML Version 1.0", W3C
2284	         Recommendation, 15 March 2001, <https://www.w3.org/TR/2001/REC-
2285	         xml-c14n-20010315>.

2287	   [CANON11] - Boyer, J., and G. Marcy, "Canonical XML Version 1.1", W3C
2288	         Recommendation, 2 May 2008, <https://www.w3.org/TR/2008/REC-
2289	         xml-c14n11-20080502/>.

2291	   [ChaCha] - Bernstein, D., "ChaCha, a variant of Salsa20", January
2292	         2008, <https://cr.yp.to/chacha/chacha-20080128.pdf>.

2294	   [DECRYPT] - Hughes, M., Imamura, T., and H. Maruyama, "Decryption
2295	         Transform for XML Signature", W3C Recommendation, 10 December
2296	         2002, <https://www.w3.org/TR/2002/ REC-xmlenc-
2297	         decrypt-20021210>.

2299	   [Err3597] - RFC Errata, Errata ID 3597, RFC 6931, <https://www.rfc-
2300	         editor.org>.

2302	   [Err3965] - RFC Errata, Errata ID 3965, RFC 6931, <https://www.rfc-
2303	         editor.org>.

2305	   [Err4004] - RFC Errata, Errata ID 4004, RFC 6931, <https://www.rfc-
2306	         editor.org>.

2308	   [GENERIC] - Nystrom, M. and F. Hirsch, "XML Security Generic Hybrid
2309	         Ciphers", W3C Working Group Note, 11 April 2013,
2310	         <https://www.w3.org/TR/xmlsec-generic-hybrid/>.

2312	   [Keccak] - Bertoni, G., Daeman, J., Peeters, M., and G. Van Assche,
2313	         "The KECCAK sponge function family", January 2013,
2314	         <http://keccak.noekeon.org>.

2316	   [Poly1305] - Bernstein, D., "The Poly1305-AES message-authentication
2317	         code", March 2005,
2318	         <https://cr.yp.to/mac/poly1305-20050329.pdf>.

2320	   [RFC3075] - Eastlake 3rd, D., Reagle, J., and D. Solo, "XML-Signature
2321	         Syntax and Processing", RFC 3075, DOI 10.17487/RFC3075, March
2322	         2001, <https://www.rfc-editor.org/info/rfc3075>.

2324	   [RFC3076] - Boyer, J., "Canonical XML Version 1.0", RFC 3076, DOI
2325	         10.17487/RFC3076, March 2001, <https://www.rfc-
2326	         editor.org/info/rfc3076>.

2328	   [RFC3092] - Eastlake 3rd, D., Manros, C., and E. Raymond, "Etymology
2329	         of "Foo"", RFC 3092, DOI 10.17487/RFC3092, April 1 2001,
2330	         <https://www.rfc-editor.org/info/rfc3092>.

2332	   [RFC3741] - Boyer, J., Eastlake 3rd, D., and J. Reagle, "Exclusive
2333	         XML Canonicalization, Version 1.0", RFC 3741, DOI
2334	         10.17487/RFC3741, March 2004, <https://www.rfc-
2335	         editor.org/info/rfc3741>.

2337	   [RFC4010] - Park, J., Lee, S., Kim, J., and J. Lee, "Use of the SEED
2338	         Encryption Algorithm in Cryptographic Message Syntax (CMS)",
2339	         RFC 4010, DOI 10.17487/RFC4010, February 2005,
2340	         <https://www.rfc-editor.org/info/rfc4010>.

2342	   [RFC5869] - Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-
2343	         Expand Key Derivation Function (HKDF)", RFC 5869, DOI
2344	         10.17487/RFC5869, May 2010, <https://www.rfc-
2345	         editor.org/info/rfc5869>.

2347	   [RFC6090]
2348	         - McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
2349	         Curve Cryptography Algorithms", RFC 6090, DOI 10.17487/RFC6090,
2350	         February 2011, <https://www.rfc-editor.org/info/rfc6090>.
2351	         - Note RFC Errata numbers 2773, 2774, 2775, 2776, and 2777.

2353	   [RFC6151] - Turner, S. and L. Chen, "Updated Security Considerations
2354	         for the MD5 Message-Digest and the HMAC-MD5 Algorithms", RFC
2355	         6151, DOI 10.17487/RFC6151, March 2011, <https://www.rfc-
2356	         editor.org/info/rfc6151>.

2358	   [RFC6194] - Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security
2359	         Considerations for the SHA-0 and SHA-1 Message-Digest
2360	         Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011,
2361	         <https://www.rfc-editor.org/info/rfc6194>.

2363	   [RFC6931] - Eastlake 3rd, D., "Additional XML Security Uniform
2364	         Resource Identifiers (URIs)", RFC 6931, DOI 10.17487/RFC6931,
2365	         April 2013, <https://www.rfc-editor.org/info/rfc6931>

2367	   [RFC7465] - Popov, A., "Prohibiting RC4 Cipher Suites", RFC 7465, DOI
2368	         10.17487/RFC7465, February 2015, <https://www.rfc-
2369	         editor.org/info/rfc7465>.

2371	   [RFC7696] - Housley, R., "Guidelines for Cryptographic Algorithm
2372	         Agility and Selecting Mandatory-to-Implement Algorithms", BCP
2373	         201, RFC 7696, DOI 10.17487/RFC7696, November 2015,
2374	         <https://www.rfc-editor.org/info/rfc7696>.

2376	   [Schema] - Thompson, H., Beech, D., Maloney, M., and N.  Mendelsohn,
2377	         "XML Schema Part 1: Structures Second Edition", W3C
2378	         Recommendation, 28 October 2004,
2379	         <https://www.w3.org/TR/2004/REC-xmlschema-1-20041028/>.
2380	         - Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes
2381	         Second Edition", W3C Recommendation, 28 October 2004,
2382	         <https://www.w3.org/TR/2004/REC-xmlschema-2-20041028/>.

2384	   [SipHash2] - Aumasson, J. and D. Bernstein, "SipHash: A Fast Short-
2385	         Input PRF", Department of Computer Science, Iniversity of
2386	         Illinois at Chicago,
2387	         <https://www.aumasson.jp/siphash/siphash.pdf>.

2389	   [W3C] - World Wide Web Consortium, <https://www.w3.org>.

2391	   [XCANON] - Boyer, J., Eastlake, D., and J. Reagle, "Exclusive XML
2392	         Canonicalization Version 1.0", W3C Recommendation, 18 July
2393	         2002, <https://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/>.

2395	   [XMLDSIG10] - Eastlake, D., Reagle, J., Solo, D., Hirsch, F., and T.
2396	         Roessler, "XML Signature Syntax and Processing (Second
2397	         Edition)", W3C Recommendation, 10 June 2008,
2398	         <https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/>./

2400	   [XMLDSIG11] - Eastlake, D., Reagle, J., Solo, D., Hirsch, F.,
2401	         Nystrom, M., Roessler, T., and K. Yiu, "XML Signature Syntax
2402	         and Processing Version 1.1", W3C Proposed Recommendation, 11
2403	         April 2013, <https://www.w3.org/TR/xmldsig-core1/>.

2405	   [XMLDSIG-PROP] - Hirsch, F., "XML Signature Properties", W3C Proposed
2406	         Recommendation, 24 January 2013, <https://www.w3.org/TR/
2407	         2013/PR-xmldsig-properties-20130124/>.

2409	   [XMLSEC] - Eastlake, D., and K. Niles, "Secure XML: The New Syntax
2410	         for Signatures and Encryption", Addison-Wesley (Pearson
2411	         Education), 2003, ISBN 0-201-75605-6.

2413	   [XMLSECXREF] - Hirsch, F., Roessler, T., and K. Yiu, "XML Security
2414	         Algorithm Cross-Reference", W3C Working Group Note, 24 January
2415	         2013, <https://www.w3.org/TR/2013/ NOTE-xmlsec-
2416	         algorithms-20130124/>.

2418	   [XMSS] - IANA Registry for XMSS and XMSSMT Extended Hash-Based
2419	         Signature schemes: https://www.iana.org/assignments/xmss-
2420	         extended-hash-based-signatures

2422	   [XPATH] - Boyer, J., Hughes, M., and J. Reagle, "XML-Signature XPath
2423	         Filter 2.0", W3C Recommendation, 8 November 2002,
2424	         <https://www.w3.org/TR/2002/ REC-xmldsig-filter2-20021108/>.
2425	         - Berglund, A., Boag, S., Chamberlin, D., Fernandez, M., Kay,
2426	         M., Robie, J., and J. Simeon, "XML Path Language (XPath) 2.0
2427	         (Second Edition)", W3C Recommendation, 14 December 2010,
2428	         <https://www.w3.org/TR/2010/REC-xpath20-20101214/>.

2430	   [XSLT] - Saxonica, M., "XSL Transformations (XSLT) Version 2.0", W3C
2431	         Recommendation, 23 January 2007,
2432	         <https://www.w3.org/TR/2007/REC-xslt20-20070123/>.

2434	Author's Address

2436	   Donald E. Eastlake 3rd
2437	   Futurewei Technologies, Inc.
2438	   2386 Panoramic Circle
2439	   Apopka, FL 32703 USA

2441	   Phone:    +1-508-333-2270
2442	   EMail:    d3e3e3@gmail.com

2444	Copyright, Disclaimer, and Additional IPR Provisions

2446	   Copyright (c) 2022 IETF Trust and the persons identified as the
2447	   document authors. All rights reserved.

2449	   This document is subject to BCP 78 and the IETF Trust's Legal
2450	   Provisions Relating to IETF Documents
2451	   (http://trustee.ietf.org/license-info) in effect on the date of
2452	   publication of this document. Please review these documents
2453	   carefully, as they describe your rights and restrictions with respect
2454	   to this document. Code Components extracted from this document must
2455	   include Revised BSD License text as described in Section 4.e of the
2456	   Trust Legal Provisions and are provided without warranty as described
2457	   in the Revised BSD License.