Mike, It appears your problem is related to signature verification changes we noticed in the recent java 7u25 update. We observed that by not using a validating parser, id uniqueness could not be guaranteed, which resulted in signature verification failures for security reasons. Our solution was to bind the <signedMark> element's id to the validating context, seemingly equivalent to 3) xmlAddID of section 3.2 of http://www.aleksey.com/xmlsec/faq.html. Implementors who are yet to update to the latest java version, or are having trouble doing so, may find the last comment of http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8017171 useful. I too am interested in knowing the libraries used by the TMCH to generate SMD signatures. Regards, James Mitchell / Product Owner ARI Registry Services From: Mike O'Connell <mcanix@gmail.com<mailto:mcanix@gmail.com>> Date: Wednesday, 7 August 2013 10:47 PM To: Francisco Obispo <fobispo@isc.org<mailto:fobispo@isc.org>> Cc: "tmch-tech@icann.org<mailto:tmch-tech@icann.org>" <tmch-tech@icann.org<mailto:tmch-tech@icann.org>>, "gtld-tech@icann.org<mailto:gtld-tech@icann.org>" <gtld-tech@icann.org<mailto:gtld-tech@icann.org>> Subject: Re: [tmch-tech] Test SMDs files now available I'm also using the XMLSec and LibXML2 libraries and I'm just finishing off the verification of SMD signatures. Slightly OT but the only issues I've encountered are around the 'id' attribute lacking the prescribed 'xml' prefix, I've had to adjust the invocation to XMLSec to get around the reference errors. See section 3.2 of http://www.aleksey.com/xmlsec/faq.html and http://www.w3.org/TR/xml-id/ (dated 9 Sept 2005) Two questions: 1. Has anyone else encountered this? 2. Which libraries is the TMCH using to generate the SMD signatures? Kind regards, Mike O'Connell -- If you don't know where you are going, any road will get you there. On 06 Aug 2013, at 12:34 AM, Francisco Obispo <fobispo@isc.org<mailto:fobispo@isc.org>> wrote: I agree, I do use XMLSEC and LibXML and have not yet encountered any problems, but I do see it as a source of possible problems, so the least data to be transferred the better. On Aug 5, 2013, at 1:29 PM, "Gould, James" <JGould@verisign.com<mailto:JGould@verisign.com>> wrote: It's actually a factor of the XML parser and the DSIG software, where based on my experience white space is a factor for validation. Troubleshooting validation issues is not a trivial task. Removing the extra white space and carriage returns (pretty print) will reduce the size and reduce the risk of validation errors. Francisco Obispo Director of Applications and Services - ISC email: fobispo@isc.org<mailto:fobispo@isc.org> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC PGP KeyID = B38DB1BE