The XMLDSig specification lists the order of operations in core validation as first validating the digests, and then the signature. This order is not a requirement but the Java XMLSec implementation chose to implement it in this order. The reverse order (validating the signature first and then the digests) is actually safer and leads to earlier detection of invalid signatures, as this would detect attempts to insert or modify information in the SignedInfo element before validating the references. For example, this would detect attempts to insert malicious transforms before they are executed, or any modification of the contents of the SignedInfo. See Brad Hill's paper for more information: http://www.w3.org/2007/xmlsec/ws/papers/04-hill-isecpartners