Re: minimal canonicalization from Joseph Reagle on 2002-07-25 (w3c-ietf-xmldsig@w3.org from July to September 2002)

From: Joseph Reagle <reagle@w3.org>
Date: Thu, 25 Jul 2002 10:53:27 -0400
To: Carl Ellison <cme@jf.intel.com>
Cc: "XML Signature (W3C/IETF)" <w3c-ietf-xmldsig@w3.org>
Message-Id: <200207251053.27640.reagle@w3.org>

On Wednesday 24 July 2002 08:34 pm, Carl Ellison wrote:
> We are using XML DSig to sign SOAP commands for UPnP.

Is this Universal Plug and Play?

> In that case, you have a sender and a receiver.  If the sender is
> powerful, it is generating the signature and controlling its output,
> but it has no reason to use anything but C14N.  However, the receiver
> is limited in CPU power (and possibly memory) and needs to
> canonicalize the incoming message in order to verify the signature.
> That's the one that can't afford C14N.

If you can constrain your process such that you know no intermediaries are 
introducing particular sorts of changes, you might be able to go the 
minimal route. However, if your using SOAP, I don't think that likely and 
you're having to "detach" a SOAP message from the header, and you'll need 
octet based means (and alignment to worry about) for this...

Received on Thursday, 25 July 2002 10:53:29 UTC