2

XML-DSig describes 3 positions where the signature of an XML document can be placed relatively to the XML document : the signature can be detached, enveloping, enveloped

What are the implications in terms of performance of these three options?

rds
  • 26,253
  • 19
  • 107
  • 134

2 Answers2

1

Detached will be a bit more efficient, but the difference is minimal (of course it depends on document size - with a 100Mb document the difference would be larger, than with small XML blocks).

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • I'll have to deal with very large file (a 100MB file is *small* in my case). Do you have references to confirm that detached is more efficient? I don't really understandf from a theorical point of view what's faster in computing the signature of tree when it's next to the signature tree, compared to when it's underneath... – rds Mar 03 '13 at 11:33
  • 1
    @rds The difference in speed is caused not by calculating a signature value, but by transforms applied and by rendering the output document. If you use DOM-based signer, it will load the whole document, then compose it again in case of wrapping or embedded signature. In case of detached signature, only a tiny signature block will be written, and here's where the detached signature wins. Also, if 100Mb is small for your data, you will have serious problems loading it to DOM for processing. – Eugene Mayevski 'Callback Mar 03 '13 at 11:49
0

Since XMLdSig is not written keeping in mind that performance or file size can be a problem; streaming is not possible. With large data to be signed, it really is a problem, since DOM objects eat lots of memory, believe me. Enveloping or enveloped does not matter in this respect.

This is where detached signatures shine. Signature itself is not that large, and data to be signed can be streamed, since you only need hash of it.

Cigiller
  • 84
  • 1
  • 1
  • 7
  • 1
    I have not started yet, but I've seen a [XML Signature Streaming Profile](http://www.w3.org/TR/2012/CR-xmldsig-xpath-20120124/) which sounds to contradict "*streaming is not possible*". Also, I don't understand what you mean by "*signature itself is not that large*". Can't the signature be computed with the same algorithm, whatever its position is? – rds Mar 03 '13 at 11:30
  • @rds The document you are referring to is not related to loading of XML documents for signing or for applying transforms - these two still require DOM. – Eugene Mayevski 'Callback Mar 03 '13 at 11:53
  • @EugeneMayevski'Callback incorrect, that's exactly what streaming XML Signature is all about - ability to calculate reference hashes (including node selection and c14n), and therefore XML signature creation/verification, completely avoiding DOM. – vond Feb 29 '20 at 01:34
  • 1
    @vond Indeed, I was slightly incorrect formulating the comment. The point was to say, what the quote from the section 2.2 of the recent edition of the document emphasizes: "Note that it is not always possible to apply or verify XML Signatures in a one-pass streaming fashion. " . So, the original answer of Cigiller still applies. – Eugene Mayevski 'Callback Feb 29 '20 at 08:50
  • Still disagree with the original answer, as DOM can be completely avoided for XMLDsig creation and verification. SAX is enough. I'm talking about Enveloped signature, of course. Enveloping and Detached are more obvious – vond Mar 06 '20 at 05:11