Hans, these explanations are much tooooo sophisticated for me. I know why C14N is necessary, but I never fully understod the specs because they are written in a language that only the XML gurus at W3C may understand (sometimes I doubt that too).
However, the handler delivered with WSS4J always work from the top node (the SOAP request root) when doing processing. ALso all WSS4J methodes that create a request expect the top node as their start node. Regards, Werner Granqvist, Hans wrote: > (Let's talk performance issues once we have more exact > timing of the various steps involved. If it ain't broke, > etc...) > > I think the security issues are worth some discussion. > > The c14n specification says that identical, superfluous in-scope > namespaces should be removed. So if you re-c14n a document from the > root node, it should be idempotent, that is, the n+1, n+2, ... > c14n will not change the DOM from the n+0 c14n. > > However, it seems if you do any of the c14n (either the original > n=0 signature transformation or later n>0 re-c14n) with different > context (start) nodes you will in effect have a different DOMs, > since the start node is different in both cases, and the start > node will receive the namespace declarations. (Please let me know > if I am way wrong here!) > > This leads me to ask: Are the WSS4J handlers always working from > the root node? That is, do they always operate on the entire > document? (Sorry if this is obvious for more seasoned WSS4J > developers.) > > I foresee a problem if the handlers work on fragments that are then > inserted into other DOMs. Mostly worries about a re-c14n over signed > content that uses exc-c14n transformations. > > However, if you have done enough interop and know this stuff works > as it should, I can be quiet. :) > > Btw, is java xmlsec actively developed currently? > > Hans > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
