This is a good question :) By definition, enveloped transform removes only the *current* <Signature> element. Suppose you have two <Signature> elements in the document and both use enveloped transform. When you sign the first <Signature>, the second one has no values yet. And it will be signed without values. Thus when you'll sign the second <Signature> and try to verify the first one, you'll get an error because now second <Signature> has all values set.
This means that if you have multiple signatures in the document then you need to make sure that first signature excludes all others, second signature exclude all others but may be the first one, etc. For example, the following XPath transform will exclude all the <Signature> elements
not(ancestor-or-self::dsig:Signature)
In some case, you may also need to include enveloped transform first because of protocol requirements (for example, I believe ebxml requires this).
Finaly note, that unless every signature in the document excludes all others the order of signatures is *very* important in the case of multiple signatures.
Best, Aleksey _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
