It _could_ be a performance penalty. However, compared to the time and processing power consumed to perform the SIgnature if is not that much. As far as I can remember about 60% to 70% of the whole processing time was consumed by the Signature method, all the rest by all other functions (did this with XML-SEC 1.0, thus fairly old values) for a signed request.
Regards, Werner Granqvist, Hans wrote: >>. . .. Just perform >>an additonla c14n as the last step after signing and/or >>encrypting a XML DOM. This is what the WSS4J handlers are doing. > > > It could be a stop gap solution but scary: > > 1. The performance hit of doing a courtesy c14n is considerable. > > 2. There might be a security issue here somehow that we don't > immediately see, especially when signing and if exc-c14n is > used, as exc-c14n is a destructive c14n algorithm (we thus > might change what we think was signed in the first place)? > > > I am not sure about a. below (been too long since I implemented > that spec ;), but 1 and 2 seem quite serious in themselves. > > a. IIRC, c14n only removes superfluous empty namespace decl, not > xmlns="x" where x is != empty. Did you mean exc-c14n? > > Thanks, > Hans > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
