We've heard feedback that the XPS Digital Signature Policy is unnessarily vague. We've made changes to this policy to be very clear about what must or may be signed. Feedback, as always, is welcome.

Change is as follows:

An XPS Document MUST be considered signed according to the XPS Document signing policy, regardless of the validity of that signature, if the following signing rules are followed:

  1. The following parts MUST be signed:
    • The <SignedInfo> portion of the Digital Signature XML Signature part containing this signature.
    • The FixedDocumentSequence part that is the target of the Start Part package relationship.
    • All FixedDocument parts referenced in the markup of the FixedDocumentSequence part. (Adding a FixedDocument part to a signed XPS Document will invalidate the signature.)
    • All FixedPage parts referenced by all signed FixedDocument parts.
    • All parts associated with each signed FixedPage part by means of a Required Resource relationship (e.g. fonts, images, color profiles, remote resource dictionaries).
    • All DocumentStructure parts associated via a Document Structure relationship with all signed FixedDocument parts.
    • All StoryFragments parts associated via Story Fragments relationship with all signed FixedPage parts.
    • All Thumbnail parts associated via a Thumbnail relationship from the package root  or with any signed FixedPage or FixedDocument part.
  2. The following parts MAY be signed:
    • The CoreProperties part.
    • The Digital Signature Origin part.
    • A Digital Signature Certificate part.
    • All SignatureDefinitions parts associated via a Signature Definitions relationship with any signed FixedDocument part. (Once a document is signed, adding any new signature definitions will invalidate the signature.)
    • PrintTicket parts.
  3. All relationships with the following RelationshipTypes (see Appendix I, “Standard Namespaces and Content Types”) MUST be signed:
    • StartPart relationship from the package root
    • DocumentStructure relationship from a FixedDocument part
    • StoryFragments relationship from a FixedPage part
    • Digital Signature Definitions relationship from a FixedDocument part
    • Required Resource relationship from a FixedPage part
    • Restricted Font relationship from a FixedPage part
    • Thumbnail relationship from a FixedPage part, a FixedDocument part, or from the package root
  4. All relationships with the following RelationshipTypes MUST be signed if their Target part is signed:
    • Core Properties relationship
    • Digital Signature Origin relationship
    • Digital Signature Certificate relationship from a Digital Signature XML Signature part
    • DiscardControl relationship
  5. Relationships with the following RelationshipTypes MAY be signed as a group (they MUST NOT be signed individually):
    • All Digital Signature XML Signature relationships from the Digital Signature Origin part (signing all relationships of this RelationshipType will cause this signature to break when a new signature is added).
  6. All of the above-referenced parts and relationships MUST be signed using a single digital signature.

An XPS Document MUST NOT be considered signed according to the XPS Document signing policy if:

  1. Any part not covered by the signing rules above is included in the signature.
  2. Any relationship not covered by the signing rules above is included in the signature.

An XPS Document digital signer MUST NOT sign an XPS Document that contains content (parts or relationships parts) to be signed that defines the Markup Compatibility namespace but the signer does not fully understand all elements, attributes, and alternate content representations introduced through the markup compatibility mechanisms. An XPS Document digital signer MAY choose not to sign any content (parts or relationships parts) that defines the Markup Compatibility namespace, even if the content is fully understood.

An XPS Document digital signature MUST be shown as an incompliant digital signature if:

  • It violates any of the signing rules described above regarding parts or relationships that MUST or MUST NOT be signed.

An XPS Document digital signature MUST be shown as a broken digital signature if:

  • It is not an incompliant digital signature, but the signature fails the signature validation routines described in the Open Packaging Conventions.

An XPS Document digital signature MUST be shown as a questionable digital signature if any of the following are true:

  • It is not an incompliant or broken digital signature, but the certificate cannot be authenticated against the certificate authority.
  • It is not an incompliant or broken digital signature, but the signed content (parts and relationships) contain elements or attributes from an unknown namespace introduced through the Markup Compatibility mechanisms.

An XPS Document digital signature MAY be shown as a questionable digital signature if:

  • It is not an incompliant or broken digital signature, but contains some other detectable problem at the discretion of the consumer.

An XPS Document digital signature MUST be shown as a valid digital signature if:

  • It is not an incompliant, broken, or questionable digital signature.