Jim, >> > > 9. There's an ambiguity in the use of KeyInfo in >> > > EncryptedData and EncryptedKey: >> > > does the KeyInfo relate to the key used to encipher or >> decipher? The >> > > description of EncryptedType says the former, which is fine, >> > > and probably >> > > correct, but 3.4 refers to the key for decrypting. Hopefully, >> > > just a matter >> > > of text, but possibly confusing later if we're not careful. >> > >> > KeyInfo always refers to the key used for decipher. See >> the note on NameKey >> > above. >> >> Isn't that wrong? An X.509 cert (and other ds:KeyInfo cases) contains >> the enciphering key in this context. > >I was refering to the case of keyInfo being used in EncryptedData and >EncryptedKey. If you want to look at KeyInfo in a general case, it contains >a key (or instructions on how to get a key). Nothing is said about the use >or type of the key contained therein. It could be Signing, Decryption, >Authentication, a second key for key agreement algorithms. KeyInfo just >holds something that can be turned into a key I believe that X.509 certificates may be contained in the KeyInfo element being used in the EncryptedData or EncryptedKey element. KeyInfo is the element that contains information to obtain a key in a context. In the context of XML Encryption, the key is a decryption key. Note that the key may be obtained directly or indirectly. This means that the KeyInfo element may contain an identifier for a decryption key itself, an encryption key, or a key pair, depending on applications, and if an identifier for an encryption key is contained (e.g., by using a ds:X509Data element), a recipient has to identify the encryption key first and then obtain the corresponding decryption key. Thanks, Takeshi IMAMURA Tokyo Research Laboratory IBM Research imamu@jp.ibm.comReceived on Thursday, 26 April 2001 04:08:01 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 27 May 2007 00:08:56 GMT