Re: R: R: proposed approach to XML encryption from Joseph M. Reagle Jr. on 2000-10-24 (xml-encryption@w3.org from October 2000)

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Tue, 24 Oct 2000 10:10:57 -0400
To: "Ernesto Damiani" <edamiani@telnetwork.it>
Cc: <xml-encryption@w3.org>
Message-Id: <4.3.2.7.2.20001024095754.034908b8@rpcp.mit.edu>

At 02:06 10/24/2000 +0200, Ernesto Damiani wrote:
>Looking at the agenda of the encryption workshop I feel confirmed in
>the opinion that there is quite a lot of interaction between XML access
>control and encryption requirements..

Ernesto,

It appears that any future _encryption_ activity would be well served by 
clearly distinguishing between encryption (how to encrypt a node), 
authentication (verification of the identity of a person or process), and 
authorization (permissions) [1] from the out start.

[1] http://www.ietf.org/rfc/rfc2828.txt
$ encrypt (I) Cryptographically transform data to produce ciphertext.
$ authenticate (I) Verify (i.e., establish the truth of) an identity claimed 
by or for a system entity. (See: authentication.)
$ authorization (1.) An "authorization" is a right or a permission that is 
granted to a system entity to access a system resource.

>Unfortunately, it seems to be a bit late for us to start planning to attend
>the workshop ( just to listen :-) ).. Anyway, I'll be looking forward to
>reading the papers ..

You were correct in your reading of the Workshop call, authorization is not 
in scope [2]. So I don't think you'll miss anything on that front. However, 
we'll take a some time to understand these differences, and if there's any 
special requirements we need to account for. Regardless, I expect given all 
the interest in authentication and authorization that whatever encryption 
does, it will be watched closely and will support/enable/co-exist with such 
systems.

[2] http://www.w3.org/2000/09/XML-Encryption-Workshop.html
Related topics that are not part of XML Encryption (though they may provide 
requirements as an application) are:
·       XML Access Control Policies: specifying policies and mechanisms 
beside encryption that control access to XML content.

__
Joseph Reagle Jr.
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/

Received on Tuesday, 24 October 2000 10:11:59 UTC