(Let's talk performance issues once we have more exact timing of the various steps involved. If it ain't broke, etc...)
I think the security issues are worth some discussion. The c14n specification says that identical, superfluous in-scope namespaces should be removed. So if you re-c14n a document from the root node, it should be idempotent, that is, the n+1, n+2, ... c14n will not change the DOM from the n+0 c14n. However, it seems if you do any of the c14n (either the original n=0 signature transformation or later n>0 re-c14n) with different context (start) nodes you will in effect have a different DOMs, since the start node is different in both cases, and the start node will receive the namespace declarations. (Please let me know if I am way wrong here!) This leads me to ask: Are the WSS4J handlers always working from the root node? That is, do they always operate on the entire document? (Sorry if this is obvious for more seasoned WSS4J developers.) I foresee a problem if the handlers work on fragments that are then inserted into other DOMs. Mostly worries about a re-c14n over signed content that uses exc-c14n transformations. However, if you have done enough interop and know this stuff works as it should, I can be quiet. :) Btw, is java xmlsec actively developed currently? Hans --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
