XML Signature Syntax and Processing (Second Edition) (original) (raw)

Abstract

Status of this document

Table of Contents

      1. Canonical XML 1.0
        1. Canonical XML 1.1

1.0 Introduction

1.1 Editorial and Conformance Conventions

1.2 Design Philosophy

1.3 Versions, Namespaces and Identifiers

FIPS PUB 180-1FIPS PUB 180-2. U.S. Department of Commerce/National Institute of Standards and Technology.

1.4 Acknowledgements

The following members of the XML Security Specification Maintenance Working Group contributed to the second edition:

2.0 Signature Overview and Examples

2.1 Simple Example (Signature, SignedInfo,Methods, and Reference)s

[s01] [s02] [s03] [s04] [s05] [s06] [s07] [s08] [s09] [s10] j6lwx3rvEPO0vKtMup4NbeVu8nk=<dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK.../DigestValue> [s11] [s12] [s13] MC0CFFrVLtRlk=...... [s14] [s15a] [s15b] [s15c]

...

......... [s15d] [s15e] [s16] [s17]

2.1.1 More on Reference

[s05] [s06] [s07] [s08] [s09] [s10] j6lwx3rvEPO0vKtMup4NbeVu8nk=dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK... [s11]

2.2 Extended Example (Object and SignatureProperty)

[ ] <Signature Id="MySecondSignature" ...> [p01]
[ ] ...
[p02]
[ ] ... [p03] <Reference URI="#AMadeUpTimeStamp"
[p04] Type="" title="undefined" rel="noopener noreferrer">http://www.w3.org/2000/09/xmldsig#SignatureProperties"> [p05] [p06] [p07] [p0508]
[p0609] k3453rvEPO0vKtMup4NbeVu8nk=dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK... [p0710]
[p0811]
[p0912] ...
[p1013] [p1114] [p1215] [p1316]
[p1417] 19990914
[p1518]
[p1619]
[p1720] [p1821] [p1922]
[p2023]

[~~p10~~p13] Object is an optional element for including data objects within the signature element or elsewhere. TheObject can be optionally typed and/or encoded.

[~~p11-18~~p14-21] Signature properties, such as time of signing, can be optionally signed by identifying them from within a Reference. (These properties are traditionally called signature "attributes" although that term has no relationship to the XML term "attribute".)

2.3 Extended Example (Object and Manifest)

[ ] ... [m01] <Reference URI="#MyFirstManifest" [m02] Type="" title="undefined" rel="noopener noreferrer">http://www.w3.org/2000/09/xmldsig#Manifest"> [m03] [m04] [m05] [m0306] [m0407] 345x3rvEPO0vKtMup4NbeVu8nkdGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...= [m0508]
[ ] ... [m0609] [m0710] [m0811] [m0912] ... [m1013]
[m1114] [m1215] ... [m1316] [m1417] [m1518]

3.0 Processing Rules

3.1 Core Generation

3.1.1 Reference Generation

The Reference Processing Model (section 4.3.3.2) requires use of Canonical XML 1.0 [XML-C14N] as default processing behavior when a transformation is expecting an octet-stream, but the data object resulting from URI dereferencing or from the previous transformation in the list ofTransform elements is a node-set. We RECOMMEND that, when generating signatures, signature applications do not rely on this default behavior, but explicitly identify the transformation that is applied to perform this mapping. In cases in which inclusive canonicalization is desired, we RECOMMEND that Canonical XML 1.1 [XML-C14N11] be used.

3.1.2 Signature Generation

3.2 Core Validation

3.2.1 Reference Validation

3.2.2 Signature Validation

4.0 Core Signature Syntax

4.0.1 The ds:CryptoBinary Simple Type

4.1 The Signature element

4.2 The SignatureValue Element

4.3 The SignedInfo Element

4.3.1 The CanonicalizationMethod Element

4.3.2 The SignatureMethod Element

4.3.3 The Reference Element

4.3.3.1 The URI Attribute

The URI attribute identifies a data object using a URI-Reference, as specified by RFC 2396 [URI].The set of allowed characters forURI attributes is the same as for XML, namely[Unicode]. However, some Unicode characters are disallowed from URI references including all non-ASCII characters and the excluded characters listed in RFC 2396 [URI, section 2.4]. However, the number sign (#), percent sign (%), and square bracket characters re-allowed in RFC 2732 [URI-Literal] are permitted. Disallowed characters must be escaped as follows:

  1. Each disallowed character is converted to [UTF-8] as one or more octets.
  2. Any octets corresponding to a disallowed character are escaped with the URI escaping mechanism (that is, converted to %HH, where HH is the hexadecimal notation of the octet value).
  3. The original character is replaced by the resulting character sequence.

The mapping from this attribute's value to a URI reference MUST be performed as specified in section 3.2.17 of [XMLSCHEMA Datatypes, 2nd Edition]. Additionally: Some existing implementations are known to verify the value of the URI attribute against the grammar in [URI]. It is therefore safest to perform any necessary escaping while generating the URI attribute.

XML signature applications MUST be able to parse URI syntax. We RECOMMEND theyXML signature applications be able to dereference URIs in the HTTP scheme. Dereferencing a URI in the HTTP scheme MUST comply with the Status Code Definitions of [HTTP] (e.g., 302, 305 and 307 redirects are followed to obtain the entity-body of a 200 status code response). Applications should also be cognizant of the fact that protocol parameter and state information, (such as HTTP cookies, HTML device profiles or content negotiation), may affect the content yielded by dereferencing a URI.

The optional Type attribute contains information about the type of object being signed after allds:Reference transforms have been applied%% E05 2002-05-08 %%. This is represented as a URI. For example:

The Type attribute applies to the item being pointed at, not its contents. For example, a reference that identifies results in the digesting of %%E05%% anObject element containing aSignatureProperties element is still of type#Object. The type attribute is advisory. No validation of the type information is required by this specification.

4.3.3.2 The Reference Processing Model

Note: The Reference Generation Model (section 3.1.1) includes further restrictions on the reliance upon defined default transformations when applications generate signatures.

In this specification, a 'same-document' reference is defined as a URI-Reference thatdoes not contain a URI. consists of a hash sign ('#') followed by a fragment or alternatively consists of an empty URI [URI].

Unless the URI-Reference is such a 'same-document' reference as defined in [URI, Section 4.2], the result of dereferencing the URI-Reference MUST be an octet stream. In particular, an XML document identified by URI is not parsed by the signature application unless the URI is a same-document reference or unless a transform that requires XML parsing is applied. (See Transforms (section 4.3.3.1).)

When a fragment is preceded by an absolute or relative URI in the URI-Reference, the meaning of the fragment is defined by the resource's MIME type. Even for XML documents, URI dereferencing (including the fragment processing) might be done for the signature application by a proxy. Therefore, reference validation might fail if fragment processing is not performed in a standard way (as defined in the following section for same-document references). Consequently, we RECOMMEND in this case that the URI� attribute not include fragment identifiers and that such processing be specified as an additional XPath Transform.

When a fragment is not preceded by a URI in the URI-Reference, XML sSignature applications MUST support the null URI and barename shortname XPointer [XPointer-Framework]. We RECOMMEND support for the same-document XPointers '#xpointer(/)' and '#xpointer(id('ID'))' if the application also intends to support any canonicalization that preserves comments. (Otherwise URI="#foo" will automatically remove comments before the canonicalization can even be invokeddue to the processing defined in Same-Document URI-References (section 4.3.3.3).) All other support for XPointers is OPTIONAL, especially all support forbarenameshortname and other XPointers in external resources since the application may not have control over how the fragment is generated (leading to interoperability problems and validation failures).

'#xpointer(/)' MUST be interpreted to identify the root node [XPath] of the document that contains the URI attribute.

'#xpointer(id('_ID_'))' MUST be interpreted to identify the element node identified by '#element(_ID_)' [XPointer-Element] when evaluated with respect to the document that contains the URI attribute.

The original edition of this specification [XMLDSIG-2002] referenced the XPointer Candidate Recommendation [XPTR-2001] and some implementations support it optionally. That Candidate Recommendation has been superseded by the [XPointer-Framework], [XPointer-xmlns] and [XPointer-Element] Recommendations, and -- at the time of this edition -- the [XPointer-xpointer] Working Draft. Therefore, the use Support of thexpointer() scheme [XPointer-xpointer] beyond theminimal usage discussed in this section is discouraged.

Identifies the element with ID attribute value 'chapter1' of the external XML resource 'http://example.com/bar.xml', provided as an octet stream. Again, for the sake of interoperability, the element identified as 'chapter1' should be obtained using an XPath transform rather than a URI fragment (barenameshortname XPointer resolution in external resources is not REQUIRED in this specification).

Identifies a node-set containing the element with ID attribute value 'chapter1' of the XML resource containing the signature. XML Signature (and its applications) modify this node-set to include the element plus all descendentsdescendants including namespaces and attributes -- but not comments.

4.3.3.3 Same-Document URI-References

Dereferencing a same-document reference MUST result in an XPath node-set suitable for use by Canonical XML [XML-C14N]. Specifically, dereferencing a null URI (URI="") MUST result in an XPath node-set that includes every non-comment node of the XML document containing the URI attribute. In a fragment URI, the characters after the number sign ('#') character conform to the XPointer syntax [Xptr][XPointer-Framework]. When processing an XPointer, the application MUST behave as if the XPointer was evaluated with respect to theroot node of the XML document containing theURI attribute were used to initialize the XPointer evaluation context. The application MUST behave as if the result of XPointer processing [XPointer-Framework] were a node-set derived from the resultant location-set resultant subresource as follows:

  1. discard point nodes
  2. replace each range node with all XPath nodes having full or partial content within the range
  3. include XPath nodes having full or partial content within the subresource
  4. if the URI is not a full XPointerhas no fragment identifier or the fragment identifier is a shortname XPointer, then delete all comment nodes

The last step is performed for null URIs, barename and shortname XPointers and child sequence XPointers. It' is necessary because when [XML-C14N] or [XML-C14N11] is passed a node-set, it processes the node-set as is: with or without comments. Only when it' is called with an octet stream does it invoke its own XPath expressions (default or without comments). Therefore to retain the default behavior of stripping comments when passed a node-set, they are removed in the last step if the URI is not a fullscheme-based XPointer. To retain comments while selecting an element by an identifier_ID_, use the followingfullscheme-based XPointer:URI='#xpointer(id('_ID_'))'. To retain comments while selecting the entire document, use the followingfullscheme-based XPointer:URI='#xpointer(/)'. This XPointer contains a simple XPath expression that includes the root node, which the second to last step above replaces with all nodes of the parse tree (all descendants, plus all attributes, plus all namespaces nodes).

The interpretation of these XPointers is defined inThe Reference Processing Model (section 4.3.3.2).

4.3.3.4 The Transforms Element

Examples of transforms include but are not limited to base64 decoding [MIME], canonicalization [XML-C14N], XPath filtering [XPath], and XSLT [XSLT]. The generic definition of the Transform element also allows application-specific transform algorithms. For example, the transform could be a decompression routine given by a Java class appearing as a base64 encoded parameter to a JavaTransform algorithm. However, applications should refrain from using application-specific transforms if they wish their signatures to be verifiable outside of their application domain. Transform Algorithms Transform Algorithms (section 6.6) defines the list of standard transformations.

4.3.3.5 The DigestMethod Element

4.3.3.6 The DigestValue Element

4.4 The KeyInfo Element

4.4.1 The KeyName Element

4.4.2 The KeyValue Element

4.4.2.1 The DSAKeyValue Element

4.4.2.2 The RSAKeyValue Element

4.4.3 The RetrievalMethod Element

Type is an optional identifier for the type of data to be retrieved after all transforms have been applied%% E05 2002-05-08 %%. The result of dereferencing a RetrievalMethod [Reference](#sec-URI) for all KeyInfo types defined by this specification (section 4.4) with a corresponding XML structure is an XML element or document with that element as the root. The rawX509Certificate KeyInfo (for which there is no XML structure) returns a binary X509 certificate.

Schema Definition

Note: The schema for theURI attribute of RetrievalMethod erroneously omitted the attribute: use="required"

The DTD is correct. However, this error only results in a more lax schema which permits all valid RetrievalMethod elements. Because the existing schema is embedded in many applications, which may include the schema in their signatures, the schema has not been corrected to be more restrictive.

4.4.4 The X509Data Element

    • The element, which contains an X.509 issuer distinguished name/serial number pair. The distinguished name SHOULD be represented as a string that complies with section 3 of that SHOULD be compliant with RFC22534514 [LDAP-DN] [LDAP-DN], to be generated according to the Distinguished Name Encoding Rules section below,
    • The element, which contains an X.509 subject distinguished name that SHOULD berepresented as a string that complies with section 3 of compliant with RFC22534514 [LDAP-DN] [LDAP-DN], to be generated according to the Distinguished Name Encoding Rules section below,

4.4.4.1 Distinguished Name Encoding Rules

Also, strings in DNamesTo encode a distinguished name (X509IssuerSerial,X509SubjectName, andKeyName if approriateappropriate), the encoding rules in section 2 of RFC 2253 4514 [LDAP-DN] [LDAP-DN] SHOULD be applied, except that the string encoding character escaping rules in section 2.4 of RFC 2253 4514 [LDAP-DN] [LDAP-DN] should MAY be encoded augmented as follows:

Since a XML document logically consists of characters, not octets, the resulting Unicode string is finally encoded according to the character encoding used for producing the physical representation of the XML document.

4.4.5 The PGPData Element

4.4.6 The SPKIData Element

4.4.7 The MgmtData Element

4.5 The Object Element

The MimeType attribute is an optional attribute which describes the data within the Object (independent of its encoding). This is a string with values defined by [MIME]. For example, if theObject contains base64 encoded PNG, theEncoding may be specified as 'http://www.w3.org/2000/09/xmldsig#base64' %% E06 2002-06-06 %% and the MimeType as 'image/png'. This attribute is purely advisory; no validation of theMimeType information is required by this specification. Applications which require normative type and encoding information for signature validation should specify[Transforms](#sec-Transforms) with well defined resulting types and/or encodings.

5.0 Additional Signature Syntax

5.1 The Manifest Element

5.2 The SignatureProperties Element

5.3 Processing Instructions in Signature Elements

5.4 Comments in Signature Elements

6.0 Algorithms

6.1 Algorithm Identifiers and Implementation Requirements

  1. Required Canonical XML 1.0(omits comments)
  2. Recommended Canonical XML 1.0with Comments
  3. Required Canonical XML 1.1 (omits comments)
    http://www.w3.org/2006/12/xml-c14n11
  4. Recommended Canonical XML 1.1 with Comments
    http://www.w3.org/2006/12/xml-c14n11#WithComments

6.2 Message Digests

6.2.1 SHA-1

The SHA-1 SHA-1 algorithm [SHA-1] takes no explicit parameters. An example of an SHA-1 DigestAlg element is:

6.3 Message Authentication Codes

6.3.1 HMAC

6.4 Signature Algorithms

6.4.1 DSA

6.4.2 PKCS1 (RSA-SHA1)

The expression "RSA algorithm" as used in thisdraftspecification%%E07 2003-01-10%% refers to the RSASSA-PKCS1-v1_5 algorithm described in RFC 2437 [PKCS1]. The RSA algorithm takes no explicit parameters. An example of an RSA SignatureMethod element is:

6.5 Canonicalization Algorithms

Various canonicalization algorithms require conversion to [UTF-8].The two algorithms below understand at least [UTF-8] and [UTF-16] as input encodings. We RECOMMEND that externally specified algorithms do the same. Knowledge of other encodings is OPTIONAL.

Various canonicalization algorithms transcode from a non-Unicode encoding to Unicode. The two algorithms below perform text normalization during transcodingThe output of these algorithms will be in NFC [NFC, NFC-Corrigendum]. This is because the XML processor used to prepare the XPath data model input is required (by the Data Model) to use Normalization Form C when converting an XML document to the UCS character domain from any encoding that is not UCS-based. %% E04 2002-03-20 %%

This specification REQUIRES implementation of both Canonical XML 1.0 [XML-C14N] and Canonical XML 1.1 [XML-C14N11]. We RECOMMEND that generators applications that generate signatures choose Canonical XML 1.1 [XML-C14N11] when inclusive canonicalization is desired.

Note: Canonical XML 1.0 [XML-C14N] and Canonical XML 1.1 [XML-C14N11] specifiesy a standard serialization of XML that, when applied to a subdocument, includes the subdocument's ancestor context including all of the namespace declarations and some attributes in the 'xml:' namespace. However, some applications require a method which, to the extent practical, excludes unused ancestor context from a canonicalized subdocument. The Exclusive XML Canonicalization Recommendation [XML-exc-C14N] may be used to address requirements resulting from scenarios where a subdocument is moved between contexts. %%E02 2002-01-29%%

6.5.1 Canonical XML 1.0

Identifier for REQUIRED Canonical XML 1.0 (omits comments):

Identifier for Canonical XML 1.0 with Comments:

The normative specification of Canonical XML1.0 is [XML-C14N]. The algorithm is capable of taking as input either an octet stream or an XPath node-set (or sufficiently functional alternative). The algorithm produces an octet stream as output. Canonical XML is easily parameterized (via an additional URI) to omit or retain comments.

6.5.2 Canonical XML 1.1

Identifier for REQUIRED Canonical XML 1.1 (omits comments):

http://www.w3.org/2006/12/xml-c14n11

Identifier for Canonical XML 1.1 with Comments:

http://www.w3.org/2006/12/xml-c14n11#WithComments

The normative specification of Canonical XML 1.1 is [XML-C14N11]. The algorithm is capable of taking as input either an octet stream or an XPath node-set (or sufficiently functional alternative). The algorithm produces an octet stream as output. Canonical XML 1.1 is easily parameterized (via an additional URI) to omit or retain comments.

6.6 Transform Algorithms

6.6.1 Canonicalization

6.6.2 Base64

This transform requires an octet stream for input. If an XPath node-set (or sufficiently functional alternative) is given as input, then it is converted to an octet stream by performing operations logically equivalent to 1) applying an XPath transform with expression self::text(), then 2) taking the string-value of the node-set. Thus, if an XML element is identified by a barenameshortname XPointer in the Reference URI, and its content consists solely of base64 encoded character data, then this transform automatically strips away the start and end tags of the identified element and any of its descendant elements as well as any descendant comments and processing instructions. The output of this transform is an octet stream.

6.6.3 XPath Filtering

The input required by this transform is an XPath node-set. Note that if the actual input is an XPath node-set resulting from a null URI or barenameshortname XPointer dereference, then comment nodes will have been omitted. If the actual input is an octet stream, then the application MUST convert the octet stream to an XPath node-set suitable for use by Canonical XML with Comments. (A subsequent application of the REQUIRED Canonical XML algorithm would strip away these comments.) In other words, the input node-set should be equivalent to the one that would be created by the following process:

Note that the XML-Signature XPath Filter 2.0 Recommendation [XPath-Filter-2] may be used for this purpose. This recommendation defines an XPath transform that permits the easy specification of subtree selection and omission that can be efficiently implemented.%%E03 2002-01-29%%

6.6.4 Enveloped Signature Transform

6.6.5 XSLT Transform

7.0 XML Canonicalization and Syntax Constraint Considerations

7.1 XML 1.0, Syntax Constraints, and Canonicalization

7.2 DOM/SAX Processing and Canonicalization

7.3 Namespace Context and Portable Signatures

8.0 Security Considerations

8.1 Transforms

8.1.1 Only What is Signed is Secure

8.1.2 Only What is "Seen" Should be Signed

8.1.3 "See" What is Signed

8.2 Check the Security Model

8.3 Algorithms, Key Lengths, Certificates, Etc.

9.0 Schema, DTD, Data Model, and Valid Examples

10.0 Definitions

11.0 References

FIPS PUB 186-2 FIPS PUB 186-2. U.S. Department of Commerce/National Institute of Standards and Technology. http://csrc.nist.gov/publications/fips/fips186-2/fips186-2.pdf http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf

RFC4514 2253. Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names. M. Wahl, S. Kille, T. HowesK. Zeilenga, Ed. December 1997 June 2006.http://www.ietf.org/rfc/rfc2253.txthttp://www.ietf.org/rfc/rfc4514.txt

SAX: The Simple API for XMLSAX: The Simple API for XML. D. Megginson, et al. May 1998.http://www.megginson.com/SAX/index.htmlhttp://www.megginson.com/downloads/SAX/

FIPS PUB 180-1 FIPS PUB 180-2. U.S. Department of Commerce/National Institute of Standards and Technology.http://csrc.nist.gov/publications/fips/fips180-1/fip180-1.txt http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf

Unicode

The Unicode Consortium. The Unicode Standard. http://www.unicode.org/unicode/standard/standard.html

RFC 2396. RFC 3986. T. Berners-Lee, R. Fielding, L. Masinter. August 1998January 2005.http://www.ietf.org/rfc/rfc2396.txt http://www.ietf.org/rfc/rfc3986.txt

URI-Literal

RFC 2732. Format for Literal IPv6 Addresses in URL's. R. Hinden, B. Carpenter, L. Masinter. December 1999.

http://www.ietf.org/rfc/rfc2732.txt

Extensible Markup Language (XML) 1.0 (Second Edition). W3C Recommendation. T. Bray, E. Maler, J. Paoli, C. M. Sperberg-McQueen. October 2000.Extensible Markup Language (XML) 1.0 (Fourth Edition). W3C Recommendation T. Bray, E. Maler, J. Paoli, C. M. Sperberg-McQueen, F.Yergeau. 16 August 2006, edited in place 29 September 2006.

http://www.w3.org/TR/2000/REC-xml-20001006 http://www.w3.org/TR/2000/REC-xml-20060816/

XML-C14N11

Canonical XML 1.1. W3C Recommendation. J. Boyer, G. Marcy. 2 May 2008.
http://www.w3.org/TR/2008/REC-xml-c14n11-20080502/

XML-exc-C14N

Exclusive XML Canonicalization Version 1.0 W3C Recommendation. J. Boyer, D. Eastlake 3rd., J. Reagle. July 2002.
http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/

Namespaces in XML. W3C Recommendation. T. Bray, D. Hollander, A. Layman. January 1999.Namespaces in XML 1.0 (Second Edition). W3C Recommendation. T. Bray, D. Hollander, A. Layman, R. Tobin. 16 August 2006.

http://www.w3.org/TR/1999/REC-xml-names-19990114http://www.w3.org/TR/2006/REC-xml-names-20060816/

. W3C Recommendation. H. Thompson,D. Beech, M. Maloney, N. Mendelsohn, H. Thompson. May 2001October 2004.

http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/ http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/ W3C Recommendation. P. Biron, A. Malhotra. May 2001.

http://www.w3.org/TR/2002/REC-xmldsig-core-20020212//

XMLDSIG-2002

XML-Signature Syntax and Processing. D. Eastlake, J. Reagle, and D. Solo. W3C Recommendation, February 2002.

http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/

XPath Filter-2

XML-Signature XPath Filter 2.0. W3C Recommendation. J. Boyer, M. Hughes, J. Reagle. November 2002.
http://www.w3.org/TR/2002/REC-xmldsig-filter2-20021108/

XPTR-2001

XML Pointer Language (XPointer). W3C Candidate Recommendation. S. DeRose, R. Daniel, E. Maler. January 2001.

http://www.w3.org/TR/2001/CR-xptr-20010911/

XPointer-Element

XPointer element() Scheme. W3C Recommendation. P. Grosso, E. Maler, J. Marsh, N. Walsh. March 2003.

http://www.w3.org/TR/2003/REC-xptr-element-20030325/

XPointer-Framework

XPointer Framework. W3C Recommendation. P. Grosso, E. Maler, J. Marsh, N. Walsh. March 2003.

http://www.w3.org/TR/2003/REC-xptr-framework-20030325/

XPointer-xpointer

XPointer xpointer() Scheme. W3C Working Draft. S. DeRose, E. Maler, R. Daniel. December 2002.

http://www.w3.org/TR/2002/WD-xptr-xpointer-20021219/

XPointer-xmlns

XPointer xmlns() Scheme. W3C Working Recommendation. S. DeRose, R. Daniel, E. Maler, J. Marsh. March 2003.

http://www.w3.org/TR/2003/REC-xptr-xmlns-20030325/

XSL

Extensible Stylesheet Language (XSL). W3C Recommendation. S. Adler, A. Berglund, J. Caruso, S. Deach, T. Graham, P. Grosso, E. Gutentag, A. Milowski, S. Parnell, J. Richman, S. Zilles. October 2001.

12. Address

Donald E. Eastlake 3rd
Motorola Laboratories, 20 Forbes Boulevard
111 Locke Drive
Marlborough, MA 01752 USA
Mansfield, MA 02048 USA Phone: 1-508-261-5434 +1-508-786-7554
Email: Donald.Eastlake@motorola.com d3e3e3@gmail.com

Joseph M. Reagle Jr., W3C Massachusetts Institute of Technology Laboratory for Computer Science NE43-350, 545 Technology Square Cambridge, MA 02139 Phone: + 1.617.258.7621 Email: reagle@w3.org Joseph M. Reagle Jr.
Department of Media, Culture, and Communication
New York University
Email: reagle@mit.edu