XML signature extensibility using custom transforms

The XML Signature specification defines a set of algorithms to be used to ensure security and application inter-operability for content signed using an XML Signature. We discuss a limitation of the XML Signature that arises from its extensibility to cater for new algorithms, and that is likely to be encountered in real-world implementations. We propose two ways to use and disseminate newly defined, or custom, transformation algorithms to address this limitation. These involve downloading the algorithm on-demand, or embedding the algorithm in the signature itself. Finally, we highlight a possible vulnerability to attack in the existing XML Signature Core Validation process when using custom transforms, and suggest an extension to the XML Signature standard to remedy this.