RE: XML-Signature + canonicalization

[von Neefe, Achim]

Title: Message

Hi Blake,   thanks for your response.   Here are some additional concerns that were brought up during a conference call today.   1) It is possible to tamper with a message by inserting some kind of whitespace and still get the signature validated.   2) Problems with non-european Unicode character sets like japanese.   Did someone run into problems with these two issues? Are these known issues?   Achim -----Original Message----- From: Blake Dournaee [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 16. Juni 2004 18:45 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; 'Girish Juneja' Subject: RE: XML-Signature + canonicalization Hello Achim,   I think it would be fair to say that when XML Signature was just maturing most of the implementation details that caused trouble had to do with one form of canonicalization or another. If you add to this the additional exclusive canonicalization routine, the picture does get a bit confusing.   Fortunately, the standard is matured and has come a long away. There was an extensive interoperability event a few years ago for XML Signature itself and 2 interoperability events for WS-Security, which uses XML Signature + Exclusive Canonicalization. I would make the argument that while canonicalization can be tricky to get right, many implementations have done this and they all work fine together.   The link to the original XML Signature interoperability event can be found here:   http://www.w3.org/Signature/2001/04/05-xmldsig-interop.html     As for large files, I would say that you have to weigh the benefits of XML Signature versus a binary format. It is true that XML Signature is an expensive operation, but done with the right tools it is possible to sign (and canonicalize) large XML documents (50MB or bigger) at wire-speed. You have to look at your specific driving requirements for XML Signatures - it isn't always best to choose the latest and greatest format if you have no need for it brings to the table.   Kind Regards,   Blake Dournaee Senior Security Architect Sarvega, Inc.         From: von Neefe, Achim [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 16, 2004 1:34 AM To: '[EMAIL PROTECTED]' Subject: XML-Signature + canonicalization   Hi all, I apologize if this is not the right forum for the following questions. One of our partners intended to use XML-Signature, but now claims that there are too many interoperability problems with the canonicalization algorithm. Can someone share her/his experience in that area? We intend to also use XML-Signature for potentially large files. Does someone have experience with the performance behaviour as the file size increases? Is there a degeneration due to the cost of canonicalization? Thanks, Achim -------------------------------------------------------------- T-Mobile International Achim von Neefe - Mobile Payment Solutions - Landgrabenweg 151 D-53227 Bonn Tel.: +49 228 936 37448 Email: [EMAIL PROTECTED]e.de Internet: www.t-mobile-international.com