W3C home > Mailing lists > Public > xml-encryption@w3.org > October 2000

access control and encryption

From: Mark Scherling <mscherling@xcert.com>
Date: Mon, 23 Oct 2000 16:24:14 -0700
Message-ID: <39F4C89E.A07F1774@xcert.com>
To: Public XML Encryption List <xml-encryption@w3.org>

With reference to XML Encryption, Access Control should be viewed from
two aspects:

1) Location or document access (coarse control) - where the user is
granted access to the document using a standard method of ACL (password
or PKI certificate).  As an example document management systems such as
Open Text, Documentum and PCDocs provide this type of access control.

2) Element access (fine control) - where access to specific content
within a document is controlled.

For XML encryption I believe that the second aspect must be addressed to
ensure an understanding of how XML encryption will be linked to access
control.  I also believe that access control should be separate from XML
because if access requirements change you would then have to change all
XML documents that have access controls embedded.  That would be a major
mistake in designing XML encryption or access control for XML.

For my approach the key point that is being presented is the use of
element attributes instead of elements as a means of identifying
elements that require encryption (Element Attribute Encryption
Classification).  This approach allows for a much higher granularity and
preserves the integrity of the elements within the structure.

What you use to identify the "encryption" attribute could be one of the
components of the XML encryption working group.  I used class
(classification) in my example based on my background working in
security with government and private industry. The use of a special
"encryption" attribute would allow for the identification of an
encrypted element but more important, will allow organizations to adapt
their current security classification systems to XML.  As an example if
I have a current security classification system that has four levels I
can specify that within my XML document such as:

- title classification="public"
- section1 classification="confidential"
- section2 classification="sensitive"
- section3 classification="executive only"

The objective is not to specify a classification scheme but to provide
flexibility in allowing organizations to use their current security
classification scheme within the context of their information security
requirements when migrating to XML.  The approach should allow you to
display document content to those who need to know as in a medical
record where there are different components and different needs.  This
way you manage one document but satisfy multiple access requirements.
This does not directly address access requirements but provides a method
of dealing with them in XML encryption to solve two key issues:

1) granularity - Element Attribute Encryption Classification can have
"n" levels of security classification where "n" = current/future
security classification levels of any organization.
2) individually accessible elements - Element Attribute Encryption
Classification can define multiple encryption levels within a single XML
document.

For XML Encryption the approach should consider the following
assumptions:

1) you will need to parse the content at some point prior to
sending/presenting it to the user
2) an authorization mechanism must be used to identify authorized users,
their access rights and what content they are allowed to see
3) an encryption mechanism must be used to protect the content

In the Digital Signature model the signator has control over the
document creation.  The signator decides when and if they will sign.

In the XML Encryption model the user does not have control over document
creation.  The user is requesting information (document or documents).
There needs to be some means of:
- identifying that user,
- verifying the access rights,
- providing a means to identify the content that needs protection, and
- a protection mechanism(encryption) so the identified user can gain
access to the information but no one else can.

For XML Encryption you still need a mechanism to identify the user such
that the encrypted content can be decrypted.  In PKI, the user's public
key would encrypt the specified element and the user's private key would
decrypt.  The question is how do you identify a user such that the XML
document element could be encrypted for that user without using some
form of ACL?
Received on Monday, 23 October 2000 19:24:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:17 GMT