RE: XMLP/XMLE Use cases and processing models from noah_mendelsohn@us.ibm.com on 2002-02-20 (xml-encryption@w3.org from February 2002)

From: <noah_mendelsohn@us.ibm.com>
Date: Wed, 20 Feb 2002 10:43:09 -0500
To: david.orchard@bea.com
Cc: reagle@w3.org, "'www-xenc-xmlp-tf'" <www-xenc-xmlp-tf@w3.org>, "'xml-dist-app'" <xml-dist-app@w3.org>, "'xml-encryption'" <xml-encryption@w3.org>
Message-ID: <OF603C4846.8002E50B-ON85256B66.00568ABB@lotus.com>
David Orchard writes:

>> Imagine I took a SOAP document and encrypted a big chunk of it,ie:

>> <soap:envelope>
>>      <xenc:encrypteddata>...</xenc:encrypteddata>
>> </soap:envelope>.

>> Again, this is not changing the SOAP spec in any way.

I beg to differ.  The envelope you show is assuredly not legal SOAP.  I 
would recommend against anyone using this idiom.

There are of course an unbounded number of ways that one might consider 
sending a message that conveys:  "I'll tell you that this is a SOAP 
envelope, but the contents of this entire envelope are encrypted."  I 
think that's what the above is trying to convey.  I suggest that the 
example above is not a particularly good use of XML, Namespaces (it 
violates the definition of soap:envelope) or SOAP (it's surely illegal 
SOAP.)  SOAP provides mechanisms which are reasonably carefully crafted to 
achieve what you want, in a much more controlled and namespace-compatible 
manner.  I suggest we focus on those, and design MIME types accordingly. 
Thank you!

------------------------------------------------------------------
Noah Mendelsohn                              Voice: 1-617-693-4036
IBM Corporation                                Fax: 1-617-693-8676
One Rogers Street
Cambridge, MA 02142
------------------------------------------------------------------







"David Orchard" <david.orchard@bea.com>
02/20/2002 12:38 AM

 
        To:     <reagle@w3.org>, Noah Mendelsohn/Cambridge/IBM@Lotus
        cc:     "'www-xenc-xmlp-tf'" <www-xenc-xmlp-tf@w3.org>, "'xml-dist-app'" 
<xml-dist-app@w3.org>, "'xml-encryption'" <xml-encryption@w3.org>
        Subject:        RE: XMLP/XMLE Use cases and processing models


Joseph,

I'm not suggesting that XMLE try to automatically make pre-existing
applications XML Encryption aware.  I don't follow how you get that
extraordinary claim.  I'm suggesting that documents have content-type of
application/xenc+xml for documents containing XMLE where XMLE decryption
MUST be done to interpret the contents according to the namespace names
within.

Imagine I took a SOAP document and encrypted a big chunk of it,ie
<soap:envelope><xenc:encrypteddata>...</xenc:encrypteddata></soap:envelope>.
The SOAP processor knows nothing about the soap document as encryption
happened "afterwards".  When such a document was sent, decryption would be
required first.  After decryption, then a SOAP processor would know what 
to
do with it.  While this particular document is encrypted, it is NOT a SOAP
document as per the soap namespace name nor media type.

Making such a document have a media-type of application/xenc+xml ensures
that the document can be dispatched to the correct piece of software, 
which
you can't do if it has media-type application/soap.

Again, this is not changing the SOAP spec in any way.

Cheers,
Dave

> -----Original Message-----
> From: Joseph Reagle [mailto:reagle@w3.org]
> Sent: Tuesday, February 19, 2002 10:43 AM
> To: noah_mendelsohn@us.ibm.com; david.orchard@bea.com
> Cc: 'www-xenc-xmlp-tf'; 'xml-dist-app'; 'xml-encryption'
> Subject: Re: XMLP/XMLE Use cases and processing models
>
>
>
> Exactly. Applications which use to use XML Encryption or
> otherwise expect
> to have elements from other namespaces need to be savvy about
> what they
> want to do (e.g., encrypt the content of a SOAP:Header) and
> how they want
> to do it  (e.g., write a flexible, create a new namespace ,etc.)
> Applications that haven't done this might have to take some
> other steps
> which won't as easy and straightforward but it's their call.
> There's no
> solution that automatically makes all pre-existing XML
> applications XML
> encryption aware or capable in every possible scenario --
> like encryption
> the SOAP header itself.
>
> On Monday 18 February 2002 20:21, noah_mendelsohn@us.ibm.com wrote:
> > which is indeed not valid SOAP, suggesting the need for a
> new media type.
> > But... that's not how you would use SOAP IMO.  I suggest instead:
> >
> >         <SOAP:Envelope xmlns:soap="..." >
> >            <SOAP:Header>
> >                 <xenc:EncryptedData xmlns:xenc="..."
> >                             SOAP:mustUnderstand="true"
> >                             SOAP:role="decryptingIntermediary">
> >                 ...
> >                 </xenc:EncryptedData>
> >            </SOAP:Header>
> >            <SOAP:Body>
> >                 ...leave empty or put dummy element here
> >                 ...if you don't want unencrypted data
> >         </SOAP:Envelope>
>
> --
>
> Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
> W3C Policy Analyst                mailto:reagle@w3.org
> IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
> W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
>
Received on Wednesday, 20 February 2002 10:57:00 UTC