Re: Additional EXI body field "EXIBodyEncrypted"

Hello Thomas,

Thank you for your comment on EXI encryption. The group believes that
EXI should integrate well with the family of XML technologies, and
therefore we would rather not define EXI-specific encryption or
digital signature methods but use the existing XML Encryption and
Signature specifications, applying them to EXI by using their defined
extension points.

As you note, the recommended rule is to first compress (or encode in
EXI) and then encrypt. Accomplishing this with XML Encryption requires
some additional specification work, but very little. We have already
talked with the XML Security working group on the best way to
accomplish this and believe we understand how to do it in a way that
fits into the XML Encryption specification. After this work is done,
we will publish it in one of our documents (we have not yet determined
which one).

Hope this answers your concerns.

Thomas Hornig <t.hornig@highQ.de> writes:

> To whom it may concern
>
> First of all, thank you very much for the opportunity to take part in the process of the standardization
> of Efficient XML Interchange (EXI).
>
> We are writing this on behalf of the (((eTicket-Deutschland initiative (nationwide standardized
> electronic ticketing for public transport, http://www.eticket-deutschland.de) endorsed by the government
> of the Federal Republic of Germany (BMVBS, Bundesministerium für Verkehr, Bau und Stadtentwicklung).
> The (((eTicket standard is also likely to influence the upcoming European standard for Interoperable
> Fare Management (IFM Project, http://www.ifm-project.eu).
> We have got a government R&D mandate to research a central part of the (((eTicket background
> system and we would like to propose the usage of the EXI format for certain data transmission in this
> project under certain conditions.
>
> In the (((eTicket project, large amounts of continual data structures have to be transferred between a
> significant number of actors connected to the background system (i.e. blacklist data and transaction
> data, including private data). Thus, it seems evident that we are in need of an efficient and secure data
> representation.
> The same applies to the "Interoperability Mangager" of the upcoming EETS-project (European Electronic
> Toll Service).
>
> For this reason, we would like you to take into consideration to introduce the boolean field
> "EXIBodyEncrypted" to the definition of the EXI header. This field could indicate that the
> EXI body of an EXI stream is encrypted with the implication that a standard EXI parser
> should reject such data with a corresponding notification code.
>
> The encryption-parameters itself could then be optionally described in the "user defined" section of
> the EXI header in conformance to the W3C recommendation "XML Signature and Encryption".
> In this way, it could be up to the single application itself to handle encryption of the EXI body after
> EXI encoding respectively decryption before EXI decoding and to set the proposed 
> EXIBodyEncrypted-Flag appropriate.
> By this we believe that maximum efficiency and flexibility in encryption could be achieved, while
> keeping EXI conformity at the same time.
>
> We have notice that this point has been largely discussed, but again, in terms of efficiency it would
> open up the chance to follow the rule "first compression, then encryption" with minimum overhead and
> without the demand of another MIME-type-definition in an maybe otherwise necessary, additional
> envelope to cope with alternative, efficient XML encryption.
>
> Thank you very much in advance for taking our suggestion into account and please keep us informed
> about your considerations regarding this point.
>
> With best regards
>
> Thomas Hornig, Managing Director
> highQ Computerlösungen GmbH 
>
> Basler Straße 61 
> D-79100 Freiburg 
>
> fon: 0761 / 70 60 40 
> fax: 0761 / 70 60 44 
>
> mail: t.hornig@highQ.de 
> net: www.highQ.de 
>
>
> Vertretungsberechtigte Geschäftsführer: 
> Christian Disch, Dipl.Phys. 
> Thomas Hornig, Dipl.Phys. 
>
> Sitz der Gesellschaft: Freiburg im Breisgau 
> Registergericht: Amtsgericht Freiburg 
> Registernummer: HRB 5203 
> USt-IdNr.: DE 182868674 
>
> ______________________________________________________________
>
> HINWEIS: Diese Nachricht ist vertraulich und nur für den Adressaten bestimmt. 
> Sollten Sie irrtümlich diese Nachricht erhalten haben, bitte ich um Ihre Mitteilung 
> per E-Mail oder unter der oben angegebenen Telefonnummer.
>
> ATTENTION: This message contains confidential informations intended only for 
> the person(s) named above. If you have received this message in error, please 
> notify me immediatly. 
> ______________________________________________________________

-- 
Jaakko Kangasharju, Helsinki University of Technology
Every analogy is faulty in exactly the places where
the presenter's argument is weakest

Received on Monday, 22 December 2008 13:26:46 UTC