I definitely think that XML Encryption needs to be designed with
authorization in mind BUT more in the sense that XML Encryption
needs to be flexible enough to support it rather than us trying
to build authorization and access control mechanisms directly into
XML Encryption. 

In other words, we must ensure that XML Encryption can be used
by authorization applications but authorization need not be
designed into XML Encryption except perhaps as one of the mechanisms
for retrieving the decryption key for a specific node.  Part of my
presentation at Lafayette will look at authorization scenarios much l
ike the one described in your document.  (I'm also particularly keen to
see XML Encryption work hand-in-hand with XSLT.)

If you could contrast and compare your work with the approaches
from the University of Milan (see
and IBM Tokyo's XML Access Control Language (anyone got a link, I can't
seem to find a good one) that might be useful.

Regards, Ed

-----Original Message-----
From: Mark Scherling [mailto:mscherling@xcert.com]
Sent: Friday, October 20, 2000 4:10 PM
To: Public XML Encryption List
Cc: rnd@xcert.com
Subject: proposed approach to XML encryption

Attached is a proposed approach that could be used to identify and
encrypt content.  It is recognized that some content within certain
documents (i.e. medical records) must be view able by different groups
with different needs.  The problem is to identify the group, the content
they need and to ensure that access is restricted to that content is
restricted.  The proposed example includes a simple example of a medical
record with an approach using element attributes to identify different
elements that require protection from unauthorized users.  The objective
is to provide individually accessible elements to meet the needs for
diverse access requirements.

Please feel free to comment on the approach and I would be happy to
present the concept at the next working group session on November 2.

Mark Scherling
Xcert International Inc.
(604) 640-6210 Ext. 349