I would like to suggest a variation on Suresh's idea. What if we add a second Reference in the ds:Signature for 'each' payload so that there would be two references to the same cid, for each payload. I looked in the dSig spec and there doesn't seem to be any prohibition on this. The first reference would be to the payload as it has always been with whatever canonicalization or transforms are required. The second reference would be to the MIME headers. Suresh's canonicalization of the MIME headers would still be required but we wouldn't have to copy the MIME headers into the Manifest (minimal change to the spec). We would still have to define that Canonicalization Algorithm that Suresh described. I don't know if this is better or worse but it is another option. I'll confess, this is actually Rik's idea but I kind of like it. Regards, David Fischer Drummond Group.