"Jim Schaad" <ietf(_at_)augustcellars(_dot_)com> writes:
Do you really consider this to be done efficiently for use with the two
current document algorithms? The validator needs to buffer the entire body
stream before it can start doing the validation pass.
I consider it done efficiently for the existing (SignedData/AuthData) formats.
I consider it done horribly inefficiently for AuthEnvData, for the reason you
give above, but it's algorithm-specific: For the two chosen algorithms, it
happens to be more convenient to put the auth.attributes first. For many
other algorithms (as illustrated by the existing SignedData/AuthData
practice), you need to have the auth.attributes last.