Rewrite of Encryption, 5.6, first paragraph (ISSUE-99; ACTION-292)

Current text:

> Symmetric Key Wrap algorithms are shared secret key encryption  
> algorithms especially specified for encrypting and decrypting  
> symmetric keys. Their identifiers appear as Algorithm attribute  
> values to EncryptionMethod elements that are children of  
> EncryptedKey which is in turn a child of ds:KeyInfo which is in turn  
> a child of EncryptedData or another EncryptedKey. The type of the  
> key being wrapped is indicated by the Algorithm attribute  
> ofEncryptionMethod child of the parent of the ds:KeyInfo grandparent  
> of the EncryptionMethod specifying the symmetric key wrap algorithm.

First, here's how I read this:

	<EncryptedData|EncryptedKey>
		<EncryptionMethod Algorithm="@alg1"/>
		<ds:KeyInfo>
			<EncryptedKey>
				<EncryptionMethod Algorithm="@alg2"/>

@alg1 is the algorithm for which the encrypted key is used.  @alg2 is  
the algorithmt hat's used to encrypt the key.  If this reading of the  
text is wrong, then scream right now, because what follows will be  
wrong.


Proposed replacement:

> Symmetric Key Wrap algorithms are shared secret key encryption  
> algorithms especially specified for encrypting and decrypting  
> symmetric keys.  When wrapped keys are used, then an EncryptedKey  
> element will appear as a child of a ds:KeyInfo element.  This  
> EncryptedKey element will have an EncryptionMethod child whose  
> Algorithm attribute in turn identifies the key warp algorithm.
>
> The algorithm for which the encrypted key is intended depends on the  
> context of the ds:KeyInfo element:  ds:KeyInfo can occur as a child  
> of either an EncryptedData or EncryptedKey element; in both cases,  
> ds:KeyInfo will have an EncryptionMethod sibling that identifies the  
> algorithm.
>
> Example:
>
> ...

--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Wednesday, 20 May 2009 11:14:48 UTC