Re: [xmlsec] XML canonization

Fri, 18 Oct 2002 18:30:50 -0700

The signature time almost does not depend on the input file size. The typical flow looks
as follows:
1) 2) 3) 4)
whole XML Document---->the part you want to sign---->binary data---->digest---->signature

where:
1) one or more XMLDSig transforms (for example, enveloped signature)
2) cannonicalization
3) SHA1 or MD5 or something else
4) RSA or DSA or HMAC or something else

The steps 4) does not depend on the input XML size (we always sign 20 bytes digest),
the step 3) is fast. The hard and costly part are steps 1) and 2). These steps *do* depend
on the input XML and the complexety of the transforms in step 1).


Aleksey.


David Wen wrote:

Aleksey,

The signature part does not cost time, but the
canonization does. Is there any performance
measurement on that?

David Wen

On Fri, 18 Oct 2002 18:32:35 -0700 Aleksey Sanin <[EMAIL PROTECTED]> wrote:


Well, it depends on the situation:
1) You are signing an XML file and want to
have XML signature in a
*separate* XML file.
In this case, you might sign the XML file
using external XML signature
and then this file will be treated as a
binary file (i.e., never parsed->no need
in c14n)
2) You have an XML file and you want to
insert XML signature in the *same* file (or construct a new XML file
that contains original file *and*
thew signature).
In this case you must do cannonicalization
because c14n is a way to "serialize"
XML document from DOM representation to a
binary file.

BTW, what kind of file are you trying to sign
and do you use xmlsec library?
Some people did performance testing for xmlsec
and it showed pretty good
results (for example, signing 10 MB file in 55
sec).

Aleksey.


David Wen wrote:


Hi,

We have an application where the XML file is
huge and it takes hours to canonize it but the
signature is very fast. My understanding of

the

XML Dsig spec is that, although the

canonization

algorithm is mandatory, but it is ok to not

apply

it, right?

Thanks!

David Wen
_______________________________________________
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec



_______________________________________________
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec



_______________________________________________
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to