Lists Home |
Date Index |
At 9:59 AM -0800 1/26/04, Tim Bray wrote:
>Q: Should genx produce canonical XML output?
>I've worked on a couple projects in recent months where the XML
>messages would sometimes or always need to be signed, and I'm
>developing the general feeling that the world holds a *lot* of dsig
>technology; in private correspondence with some folks here I've
>heard horror stories about what people do to get canonical XML:
>parse, load into DOM, reserialize (a horror story in a high-volume
Yes. The obvious solution here is to move to a streaming
canonicalizer. I don't know if any such exist. Probably wouldn't be
hard to write one though.
So I had the impression that if genx produced canonical XML that
would be A Good Thing particularly if the cost was low. The idea
doesn't seem to be getting much of a welcome here.
I think the obvious solution is to add a function that turns
canonicalization on or off, with the default being on. Not having
done serious work in C for almost ten years, I won't presume to say
what that function should look like. This does impose some burden on
implementers but no more than just allowing it to be on. Canonical
output is much harder to implement than non-canonical output.
However, if you really want a lightweight, 80/20 API maybe you should
simply leave canonicalization to special purpose tools.
Elliotte Rusty Harold
Effective XML (Addison-Wesley, 2003)