W3C home > Mailing lists > Public > xml-encryption@w3.org > September 2001

RE: digest requirement

From: Amir Herzberg <AMIR@newgenpay.com>
Date: Sun, 16 Sep 2001 18:23:40 +0300
Message-ID: <078EE8822DCFD411AAA1000629D56ADC0B7F0B@IMP01>
To: XML Encryption WG <xml-encryption@w3.org>
I think Joe's scenario would work. Few comments:

1. Don't we need to copy the ID's to the EncryptedData tags for the
references to work, e.g.:

<AlphabetiSphagetti>
  <A id="a"/>
  <EncryptedData id="b" xmlns='http://www.w3.org/2001/04/xmlenc#'
   Type='http://www.w3.org/2001/04/xmlenc#Element'>
    <CipherData>
      ....    

2. What if we want the signature to also include a regular (mandatory, not
Manifest) SignedInfo for parts of the document which are never encrypted?
E.g. suppose the document is:

<AlphabetiSphagetti>
  <NonEncrypted1/>
  <A id="a"/>
  <B id="b"/>
  <C id="c"/>
  <NonEncrypted2/>
</AlphabetiSphagetti>

and we want to always provide a signature for the non-encrypted parts, which
also can validate the encrypted components (if available in plaintext). 

In this case I think we need to add to the <SignedInfo> a reference to the
entire document with a transform to remove the encrypted elements. Do we
have to use XPATH for this? I'm not so happy with requiring such a heavy -
and optional to implement - mechanism. 

3. Text discussing this should be added to XML Encryption and /or DSIG (even
if we can put most of it in DSIG I think a short comment in XML Encrypt is
necessary). 

4. I still think adding DigestValue as optional element to EncryptedData is
simpler way to achieve this function. But as long as the functionality is
there, I'm Ok. 

Best, Amir Herzberg
Received on Sunday, 16 September 2001 11:24:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:02 UTC