The handlers use org.apache.xml.security.utils.XMLUtils.outputDOM(doc, outstream, true)
as a last step to convert from DOM to byte stream. This method implicitly performs a c14n with ALGO_ID_C14N_WITH_COMMENTS which seems to remove superflous namespaces. Regards, Werner Prakasa Nedunuri (pnedunur) wrote: > There is definitely a performance issue because you have to do extra > c14n everytime you do signing. > > > -----Original Message----- > From: Granqvist, Hans [mailto:[EMAIL PROTECTED] > Sent: Monday, August 29, 2005 1:13 PM > To: Werner Dittmann; [EMAIL PROTECTED] > Cc: Jos Dirksen; [email protected] > Subject: RE: Excessive useof namespaces > > >>. . .. Just perform >>an additonla c14n as the last step after signing and/or encrypting a >>XML DOM. This is what the WSS4J handlers are doing. > > > It could be a stop gap solution but scary: > > 1. The performance hit of doing a courtesy c14n is considerable. > > 2. There might be a security issue here somehow that we don't > immediately see, especially when signing and if exc-c14n is > used, as exc-c14n is a destructive c14n algorithm (we thus > might change what we think was signed in the first place)? > > > I am not sure about a. below (been too long since I implemented that > spec ;), but 1 and 2 seem quite serious in themselves. > > a. IIRC, c14n only removes superfluous empty namespace decl, not > xmlns="x" where x is != empty. Did you mean exc-c14n? > > Thanks, > Hans > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
