W3C home > Mailing lists > Public > public-xmlsec@w3.org > October 2009

Proposal - no change needed to XML Encryption to add Transforms to algorithm section (ISSUE-135)

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Fri, 2 Oct 2009 08:13:31 -0400
Message-Id: <54AC7270-9DCC-433B-89D2-EA6D4B83B5F0@nokia.com>
To: XMLSec WG Public List <public-xmlsec@w3.org>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
I took an action, ACTION-374, to review ISSUE-135, to clarify the  
intent of this issue related to Transforms in XML Encryption.

Reviewing the minutes, it is clear this was raised when discussing how  
to align XML Signature 1.1 and XML Encryption 1.1. From the minutes  
(see below and in the issue) I think the issue can be stated  as  
follows:

1. The XML Encryption CipherReference element supports an optional  
Transforms child element (from the encryption namespace) that can  
contain 1 or more Transform children.

2. The XML Encryption Algorithms section has no mention of transforms.  
This is inconsistent with XML Signature 1.1, that has a section on  
Transform Algorithms in the algorithm section:

http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-TransformAlg

3. The question raised by the issue is: Should XML Encryption have a  
sub-section in the Algorithms section for transforms?

Proposal:

I suggest the answer is "no", because the specification states in the  
CipherReference section:

"The syntax of the URI and Transforms is similar to that of [XML- 
DSIG]. However, there is a difference between signature and encryption  
processing. "

By making the following change we could make it clear that the  
transforms are defined in XML-DSIG, hence no need for repeating the  
information in XML Encryption:

"The syntax of the URI and Transforms is defined in XML Signature [XML- 
DSIG], however XML Encryption places the Transforms element in the XML  
Encryption namespace since it  is  used in XML Encryption obtain an  
octet stream for decryption. "

It isn't obvious why a different namespace was needed, even though the  
transforms are here used to obtain the octets to decrypt (but that was  
an earlier decision).

I've created a new issue to look at the impact of 2.0 transforms on  
XML Encryption, ISSUE-146.

regards, Frederick

Frederick Hirsch
Nokia


Raised during June 2009 F2F on topic of aligning 1.1 XML Signature and  
XML Encryption

 From minutes:
http://lists.w3.org/Archives/Member/member-xmlsec/2009Jun/att-0009/09-xmlsec-minutes.html#item07

<fjh> http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.htm#sec-CipherReference
Magnus: nothing in particular in mind
... we don't have a transform element , should there be one?
<fjh> "The syntax of the URI and Transforms is similar to that of"
Frederick: may need to review this more
<fjh> issue: review transforms for encryption
<trackbot> Created ISSUE-135 - Review transforms for encryption ;  
please complete additional details athttp://www.w3.org/2008/xmlsec/track/issues/135/edit 
  .

Mail from Magnus stated:
http://lists.w3.org/Archives/Public/public-xmlsec/2009May/0054.html

- XMLEnc does not mention transform algorithms (but should probably  
given
the CipherReference type, see XMLEnc Section 3.3.1). If the group
agrees that it should, I guess the same normative statements as are in
XMLDsig 1.1 with regards to transforms should apply?
Received on Friday, 2 October 2009 12:14:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:44:00 GMT