The xmlsec currently requires building the whole DOM tree. I think it is possible to write XML DSig implementation on top of SAX for *some* very restricted set of signatures (for example, you have to limit allowed XPath transforms, <dsig:Signature/> element should go first, etc.). But this is a completely different story. Aleksey