If you define an element to hold the annotation, then the XPath Filter 2.0
(http://www.w3.org/TR/xmldsig-filter2/) transform, which is probably
supported by almost every XML DSig implementation can do what you want.
The drawback is that the entity signing the entry would have to generate
the right signature (using the filter) ahead of time. Or a recipient,
upon failing a verification, would have to go and remove the annotation
elements -- and the "correct" whitespace around them.
The alternative is to define a new canonicalization scheme. I doubt this
would get much traction.
/r$
--
Visiting Member, IBM Academy
STSM, DataPower Chief Programmer
WebSphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/
