- From: Michiharu Kudoh <KUDO@jp.ibm.com>
- Date: Mon, 23 Oct 2000 12:34:32 +0900
- To: "Ed Simon <ed.simon" <ed.simon@entrust.com>, "\"\"'Mark Scherling'\" <mscherling\"" <mscherling@xcert.com>
- Cc: "Public XML Encryption List <xml-encryption" <xml-encryption@w3.org>
- Message-ID: <OFCE1746BA.AD9D914A-ON49256981.000CA8AA@LocalDomain>
I think that XML Encryption basically aims at providing a specification for encrypting and decrypting element(s) in an XML document. Thus it should be primitive and fundamental operations like digital signature in the sense that the encryption function and signature function might be called interchangeably from higher-level functions or applications in order to guarantee confidentiality property as well as integrity and non-repudiation property. Thus my feeling is that, as a first step XML Encryption should be defined separately from the authorization issues (except for that are considered as a MUST.) As for XML access control (XACL), please refer to the following URL: http://www.trl.ibm.co.jp/projects/xml/doccont/xacl_e.htm We will release our latest specification and implementation of the XML Access Control technology from IBM's alphaworks site soon. Regards, Michiharu Kudo Internet Technology TEL +81-46-215-4642 Tokyo Research Laboratory FAX +81-46-273-7428 IBM Japan Ltd. Internet: kudo@jp.ibm.com From: Ed Simon <ed.simon@entrust.com> on 2000/10/21 05:38 To: "'Mark Scherling'" <mscherling@xcert.com>, Public XML Encryption List <xml-encryption@w3.org> cc: rnd@xcert.com (bcc: Michiharu Kudoh/Japan/IBM) Subject: RE: proposed approach to XML encryption I definitely think that XML Encryption needs to be designed with authorization in mind BUT more in the sense that XML Encryption needs to be flexible enough to support it rather than us trying to build authorization and access control mechanisms directly into XML Encryption. In other words, we must ensure that XML Encryption can be used by authorization applications but authorization need not be designed into XML Encryption except perhaps as one of the mechanisms for retrieving the decryption key for a specific node. Part of my presentation at Lafayette will look at authorization scenarios much l ike the one described in your document. (I'm also particularly keen to see XML Encryption work hand-in-hand with XSLT.) If you could contrast and compare your work with the approaches from the University of Milan (see "http://lists.w3.org/Archives/Public/xml-encryption/2000Aug/0013.html") and IBM Tokyo's XML Access Control Language (anyone got a link, I can't seem to find a good one) that might be useful. Regards, Ed -----Original Message----- From: Mark Scherling [mailto:mscherling@xcert.com] Sent: Friday, October 20, 2000 4:10 PM To: Public XML Encryption List Cc: rnd@xcert.com Subject: proposed approach to XML encryption Attached is a proposed approach that could be used to identify and encrypt content. It is recognized that some content within certain documents (i.e. medical records) must be view able by different groups with different needs. The problem is to identify the group, the content they need and to ensure that access is restricted to that content is restricted. The proposed example includes a simple example of a medical record with an approach using element attributes to identify different elements that require protection from unauthorized users. The objective is to provide individually accessible elements to meet the needs for diverse access requirements. Please feel free to comment on the approach and I would be happy to present the concept at the next working group session on November 2. Cheers Mark Scherling Xcert International Inc. (604) 640-6210 Ext. 349
Attachments
- text/html attachment: HTML File
Received on Sunday, 22 October 2000 23:35:46 UTC