W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2001

Re: Attribute encryption

From: Sanjeev Hirve <shirve@cyberelan.com>
Date: Tue, 9 Jan 2001 20:08:45 -0500
Message-ID: <0fc001c07aa1$e23ff6e0$0800010a@cyberelan.com>
To: "Blair Dillaway" <blaird@microsoft.com>, "Ed Simon" <ed.simon@entrust.com>, <xml-encryption@w3.org>
Cc: "Michael Sakhatsky" <msakhatsky@cyberelan.com>, "Raju Nadakaduty" <praju@cyberelan.com>, "Marcus A Cuda" <mcuda@cyberelan.com>
>Can you be more concrete, with an XML + schema example, to demonstrate why Attribute encryption is required for this application?
I apologize for sticking to generalities, but the particulars of the scenario are as follows:
- the system is "legacy", ie, there is a big installed base, so it is impractical to change the XML Schema
> Sounds pretty much like straightforward separation of information into header and body sections.
- the schema was not designed originally for a straightforward separation.
Thus lets say the XML is as follows:
   <receiverInfo SocSecNum="secret stuff>
         <receiversHostname>
                abcd
         </receiversHostname>
   </receiverInfo>
As we all know SocSecNum are very private data, and B may not see it, but B needs to access receiverInfo/receiverHostname.

After encryption, this becomes
   <receiverInfo >
         <.... encrypted attribute...>
         <receiversHostname>
                abcd
         </receiversHostname>
   </receiverInfo>
The doc is no longer valid against the original schema, but B can still resolve the Xpath (receiverInfo/receiverHostname) properly.
As you pointed out, the choice is still between encrypting the attribute, and pre-transforming it.  Philip Hallam-Baker has already expressed his preference on that.

However, my argument is still mainly one for consistency: attribute values should get the same treatment as element content - if one can encrypt children of an element, then one should be able to encrypt its attributes.
>The argument in favor of attribute encryption seems to based on the notion that a receipient can take advantage of the existance of a >known Element in some legacy schema, even if its attribute values are opaque. I have trouble with this argument.

I did not understand this.  Can you please clarify?

I also now realize that my original proposal does not address the example I have cited above.

regards

SSH
Received on Tuesday, 9 January 2001 20:04:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:18 GMT