RE: proposed approach to XML encryption from Ed Simon on 2000-10-20 (xml-encryption@w3.org from October 2000)

From: Ed Simon <ed.simon@entrust.com>
Date: Fri, 20 Oct 2000 16:38:23 -0400
To: "'Mark Scherling'" <mscherling@xcert.com>, Public XML Encryption List <xml-encryption@w3.org>
Cc: rnd@xcert.com
Message-ID: <3120721CA75DD411B8340090273D20B10C1C48@sottmxs06.entrust.com>

I definitely think that XML Encryption needs to be designed with
authorization in mind BUT more in the sense that XML Encryption 
needs to be flexible enough to support it rather than us trying 
to build authorization and access control mechanisms directly into 
XML Encryption.  

In other words, we must ensure that XML Encryption can be used 
by authorization applications but authorization need not be 
designed into XML Encryption except perhaps as one of the mechanisms
for retrieving the decryption key for a specific node.  Part of my 
presentation at Lafayette will look at authorization scenarios much l
ike the one described in your document.  (I'm also particularly keen to
see XML Encryption work hand-in-hand with XSLT.)

If you could contrast and compare your work with the approaches
from the University of Milan (see 
"http://lists.w3.org/Archives/Public/xml-encryption/2000Aug/0013.html")
and IBM Tokyo's XML Access Control Language (anyone got a link, I can't
seem to find a good one) that might be useful.

Regards, Ed

-----Original Message-----
From: Mark Scherling [mailto:mscherling@xcert.com]
Sent: Friday, October 20, 2000 4:10 PM
To: Public XML Encryption List
Cc: rnd@xcert.com
Subject: proposed approach to XML encryption


Attached is a proposed approach that could be used to identify and
encrypt content.  It is recognized that some content within certain
documents (i.e. medical records) must be view able by different groups
with different needs.  The problem is to identify the group, the content
they need and to ensure that access is restricted to that content is
restricted.  The proposed example includes a simple example of a medical
record with an approach using element attributes to identify different
elements that require protection from unauthorized users.  The objective
is to provide individually accessible elements to meet the needs for
diverse access requirements.

Please feel free to comment on the approach and I would be happy to
present the concept at the next working group session on November 2.

Cheers
Mark Scherling
Xcert International Inc.
(604) 640-6210 Ext. 349

Received on Friday, 20 October 2000 16:46:44 UTC