OK, I have some more information and I am thinking we should stick to the enveloped-signature algorithm. Apparently, the use of peer signatures is not well-defined in the security industry anyway. So we really don't need to worry about this. For nested signatures, it looks like you can take the older signature(s) and put it(them) into a Signature+Object (wrap another ds:Signature element around the first ds:Signature element). I will amend my proposal to: <Signature xmlns= . . . > <SignedInfo> . . . <Reference URI= > <Transforms> <Transform Algorithm=
http://www.w3.org/2000/09/xmldsig#enveloped-signature /> <Transform Algorithm= . . . > <XPath> not(ancestor-or-self::*[@soap:actor=
http://www.oasis-open.org/committees/ebxml-msg/nextMSH ] ancestor-or-self::*[@soap:actor=
http://schemas.xmlsoap.org/soap/actor/next ] ) </XPath> </Transform> </Transforms> </Reference> </SignedInfo> </Signature> Will this work? Anyone have an opinion? Regards, David Fischer Drummond Group.