W3C home > Mailing lists > Public > public-xmlsec@w3.org > April 2010

XML Encryption 1.1 comments

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Mon, 26 Apr 2010 21:06:01 -0400
Message-Id: <FE2306CB-1D24-46FD-A83D-8FA8F5D45E63@nokia.com>
To: XMLSec WG Public List <public-xmlsec@w3.org>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
I have some  comments on latest editors draft of XML Encryption 1.1 at  
<http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.htm>

Editorial comments follow substantive comments.

Substantive:

(1) Section 2.1, Encryption Granularity

Add warning that examples do not consider plaintext guessing attack or  
other risks, and are only for illustrative purposes.

(2) Section 3.3.1, The CipherReference Element

In example, replace

xmlns:rep="http://www.example.org/repository"
with
xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'

and replace "parent::rep:CipherValue" with "parent::enc:CipherValue"
See 3.6 for example that already takes this suggested approach.
(3) Section 3.5.1, The EncryptedKey Element

Replace

"The value of the key is to be the same in all EncryptedKey elements  
identified with the same CarriedKeyName label within a single XML  
document."

with

"The value of the key MUST be the same in all EncryptedKey elements  
identified with the same CarriedKeyName label within a single XML  
document."

(in CarriedKeyName paragraph)

(4) Section 3.5.2, The DerivedKey Element

Replace

"The value of the master key is to be the same in all DerivedKey  
elements identified with the same MasterKeyName label within a single  
XML document."

with

"The value of the master key MUST be the same in all DerivedKey  
elements identified with the same MasterKeyName label within a single  
XML document."

(in MasterKeyName paragraph)

(5) 3.5.3 The ds:RetrievalMethod Element

(5a) After first sentence add:

"The ds:RetrievalMethod with a Type of 'http://www.w3.org/2001/04/xmlenc#DerivedKey' 
  provides a way to express a link to a DerivedKeyelement used to  
derive the key needed to decrypt the CipherData associated with an  
EncryptedData or EncryptedKey element."

(5b) In next sentence replace "with this type" with "with one of these  
types"

(5c) Remove " fixed='http://www.w3.org/2001/04/xmlenc#EncryptedKey'"  
from schema example comment.

(6) The ReferenceList Element

(6a) In first sentence, replace "EncryptedKey" with "EncryptedKey or  
DerivedKey"

(6b) In first sentence after example, replace "EncryptedKey" with  
"EncryptedKey or DerivedKey"

(6c) In second paragraph after example, beginning "KeyReference  
elements..." replace 2nd occurrence of EncryptedKey (not first) with  
"EncryptedKey or DerivedKey"

(7) Section 4.1, Intended Application Model

In the last paragraph, "If XML Encryption is used with an EXI stream  
[EXI], then Encryptors and Decryptors commonly perform type-specific  
processing." is not clear.

I think the intent is to say perform normal processing at XML Infoset  
model, but serialize using EXI.

Replace noted sentence with "If XML Encryption is used with an EXI  
stream [EXI], then Encryptors and Decryptors process content as for  
XML element or XML content processing, but taking into account EXI  
serialization."

(8) Section 4.3 Encryption

How does the following statement relate to EXI serialization, any  
concerns?

" If the cleartext is of type element or content, the data must be  
serialized in UTF-8 as specified in [XML10], using Normal Form C [NFC]."

(9) Section 5.4.1, ConcatKDF

Replace 'The concatenation shall be done using the original, unpadded  
bit string values."'

with

'The concatenation MUST be done using the original, unpadded bit  
string values.'

(10) Section 5.4.1, ConcatKDF

In the example, what does it mean to have PartyVInfo=""? is this  
necessary, or a mistake?

(11) 5.5.1 RSA Version 1.5

Replace
"Support of this key transport algorithm for transporting 192 bit keys  
is MANDATORY to implement. "

with

"Implementations MUST implement this key transport algorithm with  
support for transporting 192 bit keys."

=======

Editorial

(1) Abstract

s/structure data/structured data/

s/which/that/

(2) 1 Introduction

s/which/that/

(3) 2.1.2 Encrypting XML Content (Elements)

s/ is encrypted:/can be encrypted:/

(4) 2.1.3 Encrypting XML Content (Character Data)

s/Or,/Alternatively, /

(5) 2.1.5 Super-Encryption

New paragraph before "For example"

(6) Section 2.2.2 EncryptedKey and elsewhere

is using &xenc; to represent enc namespace really clear, or should we  
just spell out namespace URI where needed. General comment.

(7) 3, Encryption Syntax

s/to fit on the page/URI to fit on this page, but is not part of the  
URI/

Add newline to example near end, schemaLocation, and repeat note about  
newline.

(8) 3.1 The EncryptedType Element

s/Implementation MUST/Implementations MUST/

s/or EncryptedKey/or EncryptedKey elements/

(9) 3.2 The EncryptionMethod Element

s/which/that/ in 3rd paragraph

(10) 3.3 The CipherData element

in 1st paragraph

s/encoded text/encoded text  as element content/

(11) 3.4 The EncryptedData Element

s;replaces the encrypted element;replaces the encrypted element/ 
element content;

(12) 4.3 Encryption, 4.4 Decryption

new paragraph before and after every numbered list item as needed.

(13) 4.5 XML Encryption

Replace "transforms" with "operations" in first sentence to avoid  
confusion with XML Security specific transforms.

Replace last sentence

These sections are non-normative and optional to implementers of this  
specification, but they may be normatively referenced by and MANDATORY  
to other specifications that require a consistent processing for  
applications, such as [XMLENC-DECRYPT].

with

These sections are non-normative and optional to implementers of this  
specification, but they may be normatively referenced by and be  
required by other specifications that require a consistent processing  
for applications, such as [XMLENC-DECRYPT].


(14) 4.5.4 Text Wrapping

new paragraph before and after every numbered list item as needed.

replace "element is fed is decrypted" with "element is decrypted"

(15) 5.2.4 AES-GCM

space between ']' and 'is'

(16) 5.4.1 ConcatKDF

3rd paragraph after first example, s/for The/for the/

new paragraph before and after every numbered list item as needed.

(17) 5.4.2, PBKDF2

Add newline before "default" for last complexType definition, add note  
about newline

(18) 5.5.2 RSA-OAEP

Are spaces ok/misleading in OAEPparams value?

(19) 6.1 Relationship to XL Digital Signatures

new paragraph before and after every numbered list item as needed.



regards, Frederick

Frederick Hirsch
Nokia
Received on Tuesday, 27 April 2010 01:06:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 April 2010 01:06:47 GMT