2.9 Canonicalization
Canonicalization is a critical aspect of digital signatures and verification. It also has limited applicability to encryption.
To be useful, signatures (and message authentication codes, if appropriate) must be secure and robust. For the signature to be secure, any "significant" change in the signed data or the signature must cause the signature to fail. For the signature to be robust, any "insignificant" change in the signed data, or the signature itself, must not cause the signature to fail. Any change allowed by normal receipt, storage, and/or transmission of the message should be considered insignificant and should not be covered by the signature. Figuring out exactly what is significant for signature purposes can prove tricky. Message digest algorithms, which are used in message authentication codes and digital signatures, reflect any change in their input, so you must manage their input carefully. In particular, that input should normally consist of a canonicalization of the data being secured, discarding insignificant aspects of that data.
Chapter 9 is entirely devoted to canonicalization, particularly as it pertains to XML.