[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] SwA profile Issue 364 action for TC members
> If c14n is mandatory, what happens when I want to sign a subset of > the attached XML, do I have to do c14n/xpath/c14n? Do we require > that the c14n step be the last transform? What if I need the STR > transform or the decryption transform and the result isn't XML? > Why pay the cost of c14n? Broadly speaking, the answer to all of these questions is "you do it in accordance with XMLDSIG". For example, if you want to sign a subset of an XML attachment, you'd add <Transform> elements that identified the subset you wanted to sign and the input attachment would be processed through the <Transform> chain to extract the to-be-signed subset. If that to-be-signed subset was an XML node-set (e.g. the result of an XPath or XSL Transform), then that node-set would be canonicalized with C14N to turn it into an octet stream and then hashed to compute the DigestValue. You only pay the cost of C14N if you have to go from node-set to octet stream, just like you only pay the cost of parsing if you have to go from octet stream to node-set. --bal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]