There is definitely a performance issue because you have to do extra c14n everytime you do signing.
-----Original Message----- From: Granqvist, Hans [mailto:[EMAIL PROTECTED] Sent: Monday, August 29, 2005 1:13 PM To: Werner Dittmann; [EMAIL PROTECTED] Cc: Jos Dirksen; [email protected] Subject: RE: Excessive useof namespaces > . . .. Just perform > an additonla c14n as the last step after signing and/or encrypting a > XML DOM. This is what the WSS4J handlers are doing. It could be a stop gap solution but scary: 1. The performance hit of doing a courtesy c14n is considerable. 2. There might be a security issue here somehow that we don't immediately see, especially when signing and if exc-c14n is used, as exc-c14n is a destructive c14n algorithm (we thus might change what we think was signed in the first place)? I am not sure about a. below (been too long since I implemented that spec ;), but 1 and 2 seem quite serious in themselves. a. IIRC, c14n only removes superfluous empty namespace decl, not xmlns="x" where x is != empty. Did you mean exc-c14n? Thanks, Hans --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
