Re: Minor comments on the spec from Joseph Reagle on 2001-10-15 (xml-encryption@w3.org from October 2001)

From: Joseph Reagle <reagle@w3.org>
Date: Mon, 15 Oct 2001 17:04:29 -0400
To: "Takeshi Imamura" <IMAMU@jp.ibm.com>
Cc: Eastlake <dee3@torque.pothole.com>, xenc <xml-encryption@w3.org>
Message-Id: <20011015210429.D282B8751D@policy.w3.org>

On Monday 15 October 2001 1:48, Takeshi Imamura wrote:
> Is the Type attribute also needed for the EncryptedKey element?  I could
> not find such a description in the spec.

It could, you might want to desribe the type of key (pgp,spki, etc.) that 
is within, right...?

> >> 3.2
> >> I believe that a nonce value specified using the Nonce attribute is
> >> used only when encrypting data (not key).  Is that correct?  If so,
> >> that should be explained explicitly.
> >
> >Tweaked to, " Given that data is often redundant (e.g., XML) and that
> >attackers may know the data's structure, applications are RECOMMENDED to
> >encrypt data with high entropy, either by its own nature or by use of
> > the Nonce attribute."
>
> So should the implementation give a warning when a user is encrypting a
> key with a nonce value and/or decrypting a key encrypted with a nonce
> value?

I don't think the spec needs to speak to that: implementation issue? I did 
add the nonce processing to the processing model, so as long as we are 
clear on that, we shouldn't have interop problems.

> >> 3.2.1
> >> Transform elements and an XPath element in the example have to be
> >> prefixed with "ds:".
> >
> >Ok. BTW, why is Transforms not from ds? Was there a purposeful reason we
> >didn't use the following:
>
> Yes.  Please see
> http://lists.w3.org/Archives/Public/xml-encryption/2001Jun/0015.html

Ah, right! I'll put a comment in the text to note that.

> >> 3.5
> >> Because the URI attribute is optional, the behavior should be noted
> >> when the attribute is omitted.
> >> Transform and XPath elements in the example have to be prefixed with
> >> "ds:".
> >
> >Do we have any reason why it should be optional? If so, we should defer
> > to application context, if not, we should make it mandatory.
>
> I don't see any reason.

Ok, I changed the ReferenceType's URI attribute to required.

-- 
Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Monday, 15 October 2001 17:04:48 UTC