KeyInfo Child Elements

Table 13-1 summarizes the child elements of KeyInfo specified in XML Security. The URI given is intended for use in the Type attribute of a RetrievalMethod element (see Section 13.3) or of a Reference element (see Chapter 10).

You can extend the specifications of many of KeyInfo's children, including PGPData, SPKIData, and X509Data, with elements from another namespace.

^[1] Required only for same-document retrieval of EncryptedKey.

^[2] Recommended for KeyName referral to the CarriedKeyName of an EncryptedKey. Table 13-3 Additional RetrievalMethod Type URIs

This extension is possible only if it is safe to ignore these extension or complementary elements while claiming support for the types specified in the standards. If it is not safe to ignore these elements, then you must specify the alternative structures to those specified by the standard as children of KeyInfo, not grandchildren. (Of course, new structures from external namespaces can incorporate elements from the XMLDSIG namespace via features of the schema type definition language, as described in Chapter 5. They can create a DTD that mixes their own and XMLDSIG qualified elements, or a schema that permits, includes, imports, or derives new types based on XMLDSIG elements.)

The XML Security recommendations do not define the type URIs containing "xmldsig-more" in their path component. Rather, these URIs appear in an in-progress draft. Some implementations may not recognize such URIs even if the corresponding element is mandatory or recommended to implement. Because the URI is used only in RetrievalMethod or Reference elements, the element can be supported as a KeyInfo child without the URI necessarily being recognized in a Type attribute. For example, KeyValue is mandatory to implement as an element, but recognition of the type URI "http://www.w3.org/2001/04/xmldsig-more#KeyValue" is optional. The "Implementation" column in Table 13-1 applies to the element used as a child of KeyInfo, not to recognizing it as a Type.