W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2001

RE: Attribute encryption & Blair's message

From: Blair Dillaway <blaird@microsoft.com>
Date: Thu, 11 Jan 2001 14:39:53 -0800
Message-ID: <AA19CFCE90F52E4B942B27D4234963790120AFA7@red-msg-01.redmond.corp.microsoft.com>
To: "'Thane Plambeck'" <tplambeck@verisign.com>, "'xml-encryption@w3.org'" <xml-encryption@w3.org>
Thane's comment is pretty much in line with my thinking.

I remain unconvinced that there is sufficient value in encrypting only
attribute values, while trying to maintain some similarity to the original
schema. I simply don't buy the argument that recipients of such encrypted
docs can do meaningful and robust interpretation of the containing elements
while ignoring the cipher text and encryption information. If the recipient
only understands the original schema, then the encrypted document in
invalid. On what basis should they decide to ignore improperly encoded
and/or extraneous data within an element? Simply ignoring everything you
don't understand in an element, while assuming the rest is something you do
understand, seems incredibly brittle and error prone. 

Robust processing of encrypted docs implies knowledge of the schema against
which the encrypted document is valid. Hence, moving sensitve attribute info
into child elements for those few apps that only want the attribute
encrypted, doesn't seem that onerous to me. Especially if it signficantly
simplifies building encryption/decryption processors.

BTW, I am still open to changing my mind on this if we can identify
applications where the value of attribute only encryption justifies the
complexity.

-----Original Message-----
From: Thane Plambeck [mailto:tplambeck@verisign.com]
Sent: Thursday, January 11, 2001 1:02 PM
To: 'xml-encryption@w3.org'
Subject: RE: Attribute encryption & Blair's message


If Blair's recommendation (as interpreted below) is taken, what is the need
for attribute encryption, since the sensitive data will be recast into
elements
anyway?
 

Thane Plambeck 
tplambeck@verisign.com 
http://www.verisign.com <http://www.verisign.com/>  
650 429 5247 direct, Mt View Office 
650 321 4884 home office 
650 323 4928 home office fax 

-----Original Message-----
From: Ed Simon [mailto:ed.simon@entrust.com]
Sent: Thursday, January 11, 2001 12:30 PM
To: 'xml-encryption@w3.org'
Subject: RE: Attribute encryption & Blair's message


As I understood things, Blair didn't say "if you want to encrypt an
attribute, encrypt the element 
that contains it", I thought it was more along the lines of "if an existing
XML system wants to use
XML Encryption, it will need to modify schemas so that they recognize
certain XML Encryption
elements; if XML Encryption is to be introduced into a system where
attributes contain sensitive 
data, then the schema, which has to updated anyway, should put that
sensitive data in elements
rather than attributes".  
 
(Blair, please let the list know if I've misinterpreted you.)
 
But anyway, what is wrong with saying if you want to encrypt an attribute,
encrypt the element 
that contains it?  What's wrong is that the element and its contents and
other attributes may
contain information that is not sensitive and therefore does not need to be
encrypted.  By leaving
that data unencrypted, applications which need it do not need to,
unnecessarily, have access to 
decryption keys, which enhances overall security.
 
XML Encryption is important not just for what it can encrypt, but for what
it can leave unencrypted
(tm-Ed Simon ;-}).
 
If we resolve that there is a requirement to encrypt attribute values, to me
the question comes 
down to whether 
Option 1:  XML Encryption specifies a consistent, broadly applicable way of
encrypting attributes 
OR
Option 2:  individual applications design their own way of encrypting
attributes, eg. converting the
attributes to child elements and encrypting those like regular elements; XML
Encryption will
not specifically cover attributes.
 
I like option 1 because it means that any application that has access to the
decryption keying
material can reconstruct the plaintext original.
 
Outside of the argument that there is no sufficient requirement to encrypt
attribute values,
It seems to me that all the arguments raised against option 1 apply equally
to encrypt whole elements and element content as well.  If so, then one
would deduce that XML
Encryption should really only cover the definition of the <DecryptionInfo>
element.  Seriously,
if XML Encryption doesn't allow a plaintext original to be reconstructed
from its ciphertext
in a non-proprietary way, its usefulness seems very limited to me.
 
Ed
 

 -----Original Message-----
From: Thane Plambeck [mailto:tplambeck@verisign.com]
Sent: Thursday, January 11, 2001 1:48 PM
To: xml-encryption@w3.org
Subject: RE: Attribute encryption & Blair's message



What's wrong with saying if you want to encrypt an attribute, encrypt the
element
that contains it?  I'm still waiting for a good example why the additional
application complexity
of selective encryption of attributes inside elements is needed; ie, I await
an explicit
response to the questions and response on this topic
 posed in Blair Dillaway's most recent message to this list.
 
 Thane Plambeck 
tplambeck@verisign.com 
http://www.verisign.com <http://www.verisign.com/>  
650 429 5247 direct, Mt View Office 
650 321 4884 home office 
650 323 4928 home office fax 

 
Received on Thursday, 11 January 2001 19:13:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:18 GMT