We have a question with regards to XML-sig and need detail about the optional elements as well as some of the canonicalization and transform stuff. We're writing a spec for a very small XML-syntax payload that will go into the metadata of media files and it needs to by cryptographically signed. Rather than re-invent the wheel, We thought we should use the XML-sig spec but I think most of it is overkill for what we need, and so we like to have more information/dialogue with people who know the details.
Specifically, do we need to care about either transforms or canonicalization if the XML is very basic with no tabs for formatting and is specific to our needs?
If the option exists to not do an XML signature and instead just to treat the XML as a byte stream and to sign that, do it. It will be easier to implement, easier to understand, more stable (no canonicalization, transform, policy, ...) and faster.
If you absolutely must have XML DSIG (sadly, some of us must), it is certainly possible these days but there are many, many caveats. You need good library support, with Java this is out of the box in JDK 1.6, I am not familiar with other platforms. You must test interoperability with the receiving end of your signed XML, especially if they are potentially on a different platform.
Be sure to read Why XML Security Is Broken, it basically covers all the ground regarding the horror that is XML Canonicalization and gives some pointers to some alternatives.