The spec does not emphasize a specific location for the signature element. The URI mechanism allows any location; in particular the following settings :
- Enveloped signature your ds:Signature is a descendant of your document root (signed root) :
<SignedDocumentRoot>
....
<ds:Signature>....</ds:Signature>
</SignedDocucmentRoot>
In this setting you must use the Enveloped Transform defined in the spec. Note that the ds:Signature may be the last child but this is not necessary.
- Enveloping signature your document root (signed root) is a descendant of the ds:Signature :
<ds:Signature>
....
<ds:Object>
<SignedDocumentRoot>...</SignedDocumentRoot>
</ds:Object>
</ds:Signature>
The ds:Object is defined in the spec. Here, no special transform is mandated.