> . . .. Just perform > an additonla c14n as the last step after signing and/or > encrypting a XML DOM. This is what the WSS4J handlers are doing.
It could be a stop gap solution but scary: 1. The performance hit of doing a courtesy c14n is considerable. 2. There might be a security issue here somehow that we don't immediately see, especially when signing and if exc-c14n is used, as exc-c14n is a destructive c14n algorithm (we thus might change what we think was signed in the first place)? I am not sure about a. below (been too long since I implemented that spec ;), but 1 and 2 seem quite serious in themselves. a. IIRC, c14n only removes superfluous empty namespace decl, not xmlns="x" where x is != empty. Did you mean exc-c14n? Thanks, Hans --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
