W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2001

Qn about nested encryption

From: Sanjeev Hirve <shirve@cyberelan.com>
Date: Tue, 2 Jan 2001 11:13:06 -0500
Message-ID: <004501c074d6$e4551b20$0800010a@cyberelan.com>
To: "xml-enc" <xml-encryption@w3.org>
Cc: "Joseph M. Reagle Jr." <reagle@w3.org>
With ref to the proposal "XML encryption syntax and processing" v 1.0, dated 2000/12/15, by Dillaway et al, I hav the following question.
Section 2.5 states that "..it is not valid to nest these objects, i.e., an Encrypted Data may not be a child of an Encrypted Data."
I dont understand the reason behind this constraint.
Consider the case where a document is encrypted for multiple recipients.  It is reasonable requirement that recipient A is authorized to access an element X and all its descendents, while recipient B may is authorized to access the same element X less some of its descendents, say element Y.
A simple way to solve this is to first encrypt element Y with key K1, then encrypt element X with key K2.  A has access to K1 and K2 and must decrypt elem X and then Y.

I think, the following memo:
also refers to the same issue.

Received on Tuesday, 2 January 2001 11:09:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:59 UTC