Position Paper
W3C Workshop on Next Steps for XML Signature and XML Encryption

Organization: Tarari, Inc.
Participants: Michael Leventhal, Senior Director, XML Products
              Eric Lemoine, Chief Architect, XML

Tarari had made silicon-based accelerators for XML processing for the
last 5 years. Our customers use our XML accelerators and other Tarari
accelerators in network devices including security appliances such as
firewalls, IDS/IPS, and UTMs and XML appliances. Many of the top network
equipment and security appliance companies are our customers.

Tarari has deep expertise in the performance aspects of XML standards and
strong interest in ensuring that those standards are not incompatible
with various optimization strategies including the use of silicon
accelerators. With these objectives in mind, we were active participants
in the XML Binary Characterization Working Group.

Tarari supports the hardware acceleration of XML Signature and XML
Encryption. In our research we have found these processes and their
expressions in WS-Security and other standards which encompass XML
signature and XML encryption to be among the least performant of all
common XML processes and we have also found that they are difficult to
accelerate, with or without silicon, to the performance levels needed in
XML-capable network devices. We do not believe that a binary XML format
will have any positive effect at all on the performance obtained on XML
signature and encryption operations. We believe that the performance
issue must be addressed at the level of XML signature and encryption
recommendations and their encompassing standards. We believe that
performance benefits can be obtained in directing sufficient energy in
the next steps for XML signature and encryption toward performance issues,
including compatibility with hardware acceleration.

We believe, and our customers believe, that XML signature and encryption
have very wide application and should become commonplace operations on the
internet. We expect these standards to be used in ways that are similiar
to SSL with capabilities being ubiquitious in internet clients and
enterprises offloading SSL termination to specialized proxy appliances,
typically making using of cryptographic accelerators. Just as the need
for SSL appliances was stimulated by both internet commerce and the
growth of the use of VPN for remote access to corporate networks, we are
seeing the beginnings of explosive growth for the XML security industry
stimulated by web services, federated identity and other XML-based
applications. Performance, however, is a barrier to wider adoption.

Our XML accelerator includes the same cryptographic acceleration used
for SSL and this is used to accelerate XML signature and encryption
operations. Through extensive research, profiling, and field experience
we have found that the cryptographic workload for XML encryption is
comparable to SSL but that the cryptographic workload is small compared
other processing required to complete an XML "handshake". For high
volume secure XML transactions cryptographic acceleration is therefore
an essential but not sufficient requirement and even with crytographic
acceleration capacity will be considerably less than SSL. Tarari also
accelerates XML processing including parsing, XPath, and XSLT. Adding
these capabilities to cryptographic acceleration produces better results
for XML signature and encryption but results are still below the latency
and throughput long-term objectives of network equipment and security
appliance vendors.

Software implementations of XML signature and encryption that we have
tested show performance in a wide range from 1200 CPU cycles per byte
of XML processed to as much as 10,000 cycles per byte. With XML and
cryptographic hardware acceleration that can improved to numbers in
the high hundreds of cycles per bytes. In the way of comparison, with
hardware acceleration XML threat management (XTM) runs in 10 cycles per
byte, parsing (including producing a memory structure output) at 20,
XPath at 40 and schema validation at 80. XML signature and encryption
therefore perform worse than other core network processing applications
of XML by a factor of 10 or worse.

There are many components of XML signature and encryption processes
responsible for this poor showing. Overall, the number of steps and
the complexity of supporting the number of combinations required even
by profiled subsets takes a large toll in our ability to implement
specialized engines for XML security and encryption and the resulting
performance. The design of XML signature and encryption processes seems
intrinsically multi-step and to assume performance-heavy data structures
and multi-pass algorithms. Canonicalization is probably the single most
costly operation, responsible for as much as 50% of the processing time
on many signing operations.

In our work on the XML Binary Characterization Working Group we
occasionally were asked why a company that accelerates XML processing
with specialized silicon would be motivated to work on standards
which would improve the efficiency of XML in all deployment scenarios,
including software running on general processors. The answer is that
efficient XML processing enlarges the overall use of XML and increases
rather than decreases the market for very high volume solutions which
use accelerators. Also, while accelerators can somewhat improve the
performance of intrinsically inefficient processes they actually do
much better in relative terms on efficient processes. The huge scope of
potential applications for XML signature and encryption and the scale of
internet computing is such that the market for acceleration should reach
at a minimum the level of the current market for SSL/VPN and other SSL
proxy appliances, provided the performance roadblocks for unaccelerated
applications of XML signature and encryption are removed.