- From: Taki Kamiya <tkamiya@us.fujitsu.com>
- Date: Wed, 19 May 2010 15:14:06 -0700
- To: "'Frederick Hirsch'" <frederick.hirsch@nokia.com>, <public-xmlsec@w3.org>
- Cc: <public-exi@w3.org>, <john.schneider@agiledelta.com>
Dear Frederick and XMLSEC members, Thank you for having heralded us of the upcoming release of drafts, which allowed us to initiate the review in a timely fashion. Please find below is our initial set of comments and questions regarding the XML Encryption working draft [1]. We may have additional comments and questions, and will send them out in separate emails when we have any and they become ready. Best regards, Taki Kamiya for the EXI Working Group ------ Section 2.1.4 "Encrypting Arbitrary Data and XML Documents" defines a way to encrypt a document as a whole, and shows an example that demonstrates the ability to encode a whole XML document. A natural corollary would be encrypting the whole EXI stream, with MimeType="application/exi", which may not necessarily be stated there, however, I would like to confirm that such use of EXI within EncryptedData is both legal and within the expectation of the WG. Section 4.2 "Well-known Type parameter values" defines a reserved value for EXI. It also states that: "Encryptors and Decryptors should handle unknown or empty Type attribute values as a signal that the cleartext is to be handled as an opaque octet-stream, whose specific processing is up to the invoking application. In this case, the Type, MimeType and Encoding parameters should be treated as opaque data whose appropriate processing is up to the application." It is not clear to me what is expected of a processor that does not implement EXI have encountered Type value of "http://www.w3.org/2009/xmlenc11#EXI". Since the value "http://www.w3.org/2009/xmlenc11#EXI" is well-known, the quoted paragraph does not seem to apply to the value. When I think that the encryption of EXI stream as a whole is covered by section 2.1.4, I start to wonder what the mention of EXI in section 4.2 would add beyond that in terms of function. It appears as though the two mechanisms are functionally same with regards to how they relate to EXI, since both provide ways to encrypt and contain EXI streams within XML. [1] http://www.w3.org/TR/2010/WD-xmlenc-core1-20100513/ -taki -----Original Message----- From: Frederick Hirsch [mailto:frederick.hirsch@nokia.com] Sent: Monday, May 03, 2010 10:26 AM To: john.schneider@agiledelta.com Schneider; Taki Kamiya Cc: Frederick Hirsch; msc@mitre.org Cokus; Carine Bournez; public-exi@w3.org; public-xmlsec@w3.org Public List; ext Thomas Roessler Subject: Planning for EXI review of XML Encryption 1.1 Last Call John, Taki The XML Security WG anticipates bringing XML Encryption 1.1 [1] and Generic Hybrid Ciphers [2] to Last Call in the near future, as well as having a short Last Call for an added feature to XML Signature 1.1 [3]. EXI is specifically mentioned in XML Encryption 1.1 in Section 3.1 "The EncryptedType Element", 4.1 "Intended Application Model", 4.2 "Well-known Type parameter values" and in the References. We would like EXI review of the drafts, in particular the material related to EXI. Would a 4 week Last Call period be sufficient, say starting on 13 May and running until 10 June? Thanks regards, Frederick Frederick Hirsch Nokia [1] <http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.htm> [2] <http://www.w3.org/2008/xmlsec/Drafts/generic-hybrid-ciphers/Overview.html > [3] KeyInfoReference, section 4.5.10 <http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.htm#sec-KeyInfoReference >
Received on Wednesday, 19 May 2010 22:22:55 UTC