RE: C14N Argument


How about something like:

"Canonicalization is used implicitly when a node-set is converted to an
octet stream in the transformation pipeline. Care should be made not to
include it unnecessarily as an explicit transform. Doing so may affect core
processing performance."

Blake Dournaee
Toolkit Applications Engineer
RSA Security
"The only thing I know is that I know nothing" - Socrates

-----Original Message-----
From: Joseph M. Reagle Jr. []
Sent: Friday, July 27, 2001 1:01 PM
To: Dournaee, Blake
Cc: 'John Boyer';
Subject: RE: C14N Argument

At 13:19 7/26/2001, Dournaee, Blake wrote:
>Thanks for your detailed explanation. The reason why I am concerned about
>where C14N is/should be used is because it will be important for developers
>to know when they must use canonicalization and when they can omit it.

Hi Blake, I'm a fan of explicit declarations, and try to avoid implicit 
processing where possible: I like things to be clear, even if verbose, and 
it allows algorithms to stay orthogonal; if some day we realize there's a 
huge problem c14n it's baked in to the dsig spec. Others felt that it's 
baked in anyway (e.g., REQUIRED) and people can still be explicit if desired

or required, and they carried the day on this point.

However, you're right that c14n is an expensive operation (at the Encryption

F2F last week I think people estimated 100-1 more expensive than the crypto 
on small documents, and it gets worse for larger documents of course.) But 
I'm not sure how to directly reflect your concern in the text. Should we add

a sentence saying, "be careful not to have redundant c14n's as it's really 
expensive" or can something more specific be said?

Joseph Reagle Jr.       
W3C Policy Analyst      
IETF/W3C XML-Signature Co-Chair
W3C XML Encryption Chair

Received on Friday, 27 July 2001 17:20:39 UTC