Web Filter Rk 4.4.2 Serial: How to Get It, Activate It, and Configure It for Your Needs
This specification does not address mechanisms for making statements or assertions. Instead, this document defines what it means for something to be signed by an XML Signature (integrity, message authentication, and/or signer authentication). Applications that wish to represent other semantics must rely upon other technologies, such as [XML10], [RDF-PRIMER]. For instance, an application might use a foo:assuredby attribute within its own markup to reference a Signature element. Consequently, it's the application that must understand and know how to make trust decisions given the validity of the signature and the meaning of assuredby syntax. We also define a SignatureProperties element type for the inclusion of assertions about the signature itself (e.g., signature semantics, the time of signing or the serial number of hardware used in cryptographic processes). Such assertions may be signed by including a Reference for the SignatureProperties in SignedInfo. While the signing application should be very careful about what it signs (it should understand what is in the SignatureProperty) a receiving application has no obligation to understand that semantic (though its parent trust engine may wish to). Any content about the signature generation may be located within the SignatureProperty element. The mandatory Target attribute references the Signature element to which the property applies.
Web Filter Rk 4.4.2 Serial
Note, After a Signature element has been created in Signature Generation for a signature with a same document reference, an implementation can serialize the XML content with variations in that serialization. This means that Reference Validation needs to canonicalize the XML document before digesting in step 1 to avoid issues related to variations in serialization.
SignedInfo does not include explicit signature or digest properties (such as calculation time, cryptographic device serial number, etc.). If an application needs to associate properties with the signature or digest, it may include such information in a SignatureProperties element within an Object element.
We recommend applications that implement a text-based instead of XML-based canonicalization -- such as resource constrained apps -- generate canonicalized XML as their output serialization so as to mitigate interoperability and security concerns. For instance, such an implementation SHOULD (at least) generate standalone XML instances [XML10].
Examples of transforms include but are not limited to base64 decoding [RFC2045], canonicalization [XML-C14N], XPath filtering [XPATH], and XSLT [XSLT]. The generic definition of the Transform element also allows application-specific transform algorithms. For example, the transform could be a decompression routine given by a Java class appearing as a base64 encoded parameter to a Java Transform algorithm. However, applications should refrain from using application-specific transforms if they wish their signatures to be verifiable outside of their application domain. Transform Algorithms (section 6.6) defines the list of standard transformations.
The X509IssuerSerial element has been deprecated in favor of the newly-introduced dsig11:X509Digest element. The XML Schema type of the serial number was defined to be an integer, and XML Schema validators may not support integer types with decimal data exceeding 18 decimal digits [XMLSCHEMA-2]. This has proven insufficient, because many Certificate Authorities issue certificates with large, random serial numbers that exceed this limit. As a result, deployments that do make use of this element should take care if schema validation is involved. New deployments SHOULD avoid use of the element.
Historical note: The DEREncodedKeyValue element was added to XML Signature 1.1 in order to support certain interoperability scenarios where at least one of signer and/or verifier are not able to serialize keys in the XML formats described in section 4.5.2 The KeyValue Element above. The KeyValue element is to be used for "bare" XML key representations (not XML wrappings around other binary encodings like ASN.1 DER); for this reason the DEREncodedKeyValue element is not a child of KeyValue. The DEREncodedKeyValue element is also not a child of the X509Data element, as the keys represented by DEREncodedKeyValue may not have X.509 certificates associated with them (a requirement for X509Data).
Additional information items concerning the generation of the signature(s) can be placed in a SignatureProperty element (i.e., date/time stamp or the serial number of cryptographic hardware used in signature generation).
When using transforms, we RECOMMEND selecting the least expressive choice that still accomplishes the needs of the use case at hand: Use of XPath filter 2.0 is recommended over use of XPath filter. Use of XPath filter is recommended over use of XSLT.
Note: Canonical XML 1.0 [XML-C14N] and Canonical XML 1.1 [XML-C14N11] specify a standard serialization of XML that, when applied to a subdocument, includes the subdocument's ancestor context including all of the namespace declarations and some attributes in the 'xml:' namespace. However, some applications require a method which, to the extent practical, excludes unused ancestor context from a canonicalized subdocument. The Exclusive XML Canonicalization Recommendation [XML-EXC-C14N] may be used to address requirements resulting from scenarios where a subdocument is moved between contexts.
We RECOMMEND that XSLT transform authors use an output method of xml for XML and HTML. As XSLT implementations do not produce consistent serializations of their output, we further RECOMMEND inserting a transform after the XSLT transform to canonicalize the output. These steps will help to ensure interoperability of the resulting signatures among applications that support the XSLT transform. Note that if the output is actually HTML, then the result of these steps is logically equivalent [XHTML10].
If an XML Signature is to be produced or verified on a system using the DOM or SAX processing, a canonical method is needed to serialize the relevant part of a DOM tree or sequence of SAX events. XML canonicalization specifications, such as [XML-C14N], are based only on information which is preserved by DOM and SAX. For an XML Signature to be verifiable by an implementation using DOM or SAX, not only must the XML 1.0 syntax constraints given in the section 7.1 XML 1.0 Syntax Constraints, and Canonicalization be followed but an appropriate XML canonicalization MUST be specified so that the verifier can re-serialize DOM/SAX mediated input into the same octet stream that was signed.
When serializing a Signature element or signed XML data that's the child of other elements using these data models, that Signature element and its children may have in-scope namespaces inherited from its ancestral context. In addition, the Canonical XML and Canonical XML with Comments algorithms define special treatment for attributes in the XML namespace, which can cause them to be part of the canonicalized XML even if they were outside of the document subset. Simple inheritable attributes (i.e. attributes that have a value that requires at most a simple redeclaration such as xml:lang and xml:space) are inherited from nearest ancestor in which they are declared to the apex node of canonicalized XML unless they are already declared at that node. This may frustrate the intent of the signer to create a signature in one context which remains valid in another. For example, given a signature which is a child of B and a grandchild of A:
Additionally, the signature secures any information introduced by the transform: only what is "seen" (that which is represented to the user via visual, auditory or other media) should be signed. If signing is intended to convey the judgment or consent of a user (an automated mechanism or person), then it is normally necessary to secure as exactly as practical the information that was presented to that user. Note that this can be accomplished by literally signing what was presented, such as the screen images shown a user. However, this may result in data which is difficult for subsequent software to manipulate. Instead, one can sign the data along with whatever filters, style sheets, client profile or other information that affects its presentation.
The astrocyte endfeet are connected together by gap junctions but the clefts between them are not sealed by tight junctions and thus are routes for passage of water and solutes including markers as large as horseradish peroxidase [11, 12] between the basement membrane and the interstitial spaces. However, there is evidence that movement through the clefts can be slow compared to that along the basement membrane and that, at least under some circumstances the endfoot layer can present a major barrier to transport between the blood and the brain parenchyma [13, 14]. The extent to which the astrocytes and pericytes cover the endothelial tube has been calculated by Mathiisen et al.  from serial sections of the CA1 layer of rat hippocampus. They found that the clefts available for diffusion away from the tube to the interstitium occupy only 0.3% of the surface area.