- From: Joseph M. Reagle Jr. <reagle@w3.org>
- Date: Fri, 27 Jul 2001 16:01:27 -0400
- To: "Dournaee, Blake" <bdournaee@rsasecurity.com>
- Cc: "'John Boyer'" <JBoyer@PureEdge.com>, w3c-ietf-xmldsig@w3.org
At 13:19 7/26/2001, Dournaee, Blake wrote: >Thanks for your detailed explanation. The reason why I am concerned about >where C14N is/should be used is because it will be important for developers >to know when they must use canonicalization and when they can omit it. Hi Blake, I'm a fan of explicit declarations, and try to avoid implicit processing where possible: I like things to be clear, even if verbose, and it allows algorithms to stay orthogonal; if some day we realize there's a huge problem c14n it's baked in to the dsig spec. Others felt that it's baked in anyway (e.g., REQUIRED) and people can still be explicit if desired or required, and they carried the day on this point. However, you're right that c14n is an expensive operation (at the Encryption F2F last week I think people estimated 100-1 more expensive than the crypto on small documents, and it gets worse for larger documents of course.) But I'm not sure how to directly reflect your concern in the text. Should we add a sentence saying, "be careful not to have redundant c14n's as it's really expensive" or can something more specific be said? -- Joseph Reagle Jr. http://www.w3.org/People/Reagle/ W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Friday, 27 July 2001 16:01:45 UTC