The extra c14n step solved it. Thanks for the swift and accurate response. Jos
On 8/29/05, Prakasa Nedunuri (pnedunur) <[EMAIL PROTECTED]> wrote: > There is definitely a performance issue because you have to do extra > c14n everytime you do signing. > > > -----Original Message----- > From: Granqvist, Hans [mailto:[EMAIL PROTECTED] > Sent: Monday, August 29, 2005 1:13 PM > To: Werner Dittmann; [EMAIL PROTECTED] > Cc: Jos Dirksen; [email protected] > Subject: RE: Excessive useof namespaces > > > . . .. Just perform > > an additonla c14n as the last step after signing and/or encrypting a > > XML DOM. This is what the WSS4J handlers are doing. > > It could be a stop gap solution but scary: > > 1. The performance hit of doing a courtesy c14n is considerable. > > 2. There might be a security issue here somehow that we don't > immediately see, especially when signing and if exc-c14n is > used, as exc-c14n is a destructive c14n algorithm (we thus > might change what we think was signed in the first place)? > > > I am not sure about a. below (been too long since I implemented that > spec ;), but 1 and 2 seem quite serious in themselves. > > a. IIRC, c14n only removes superfluous empty namespace decl, not > xmlns="x" where x is != empty. Did you mean exc-c14n? > > Thanks, > Hans > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
