RE: C14N Argument

At 13:19 7/26/2001, Dournaee, Blake wrote:
>Thanks for your detailed explanation. The reason why I am concerned about
>where C14N is/should be used is because it will be important for developers
>to know when they must use canonicalization and when they can omit it.

Hi Blake, I'm a fan of explicit declarations, and try to avoid implicit 
processing where possible: I like things to be clear, even if verbose, and 
it allows algorithms to stay orthogonal; if some day we realize there's a 
huge problem c14n it's baked in to the dsig spec. Others felt that it's 
baked in anyway (e.g., REQUIRED) and people can still be explicit if desired 
or required, and they carried the day on this point.

However, you're right that c14n is an expensive operation (at the Encryption 
F2F last week I think people estimated 100-1 more expensive than the crypto 
on small documents, and it gets worse for larger documents of course.) But 
I'm not sure how to directly reflect your concern in the text. Should we add 
a sentence saying, "be careful not to have redundant c14n's as it's really 
expensive" or can something more specific be said?



--
Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Friday, 27 July 2001 16:01:45 UTC