Re: XMLP Comments to XMLE LC


>We need people from communities with their applications
>requirements/scenarios in mind to then test those requirements/scenarios
>with our specified functionality.
>If anyone has scenarios or questions in mind please join and contribute
> .

We have been looking at applying XML Encryption to SOAP envelope.  The
following is an example of SOAP header for XML encryption that we are
considering.  The point here is that the receiving SOAP application knows
what <xenc:EncryptedData> elements are to be decrypted.  When the
<SOAP-SEC:Encryption> element is combined with <SOAP-SEC:Signature>, the
use of the decryption transform solve the interdependency problem.  Also
our scenario includes encrypting SOAP attachments through a "cid: ..." URI.
(such as cid:image.jpg).

        <SOAP-SEC:EncryptedDataReference URI="#encrypted-body-entry"/>
      <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>

  <SOAP-ENV:Body >

We have (somewhat older versions of) draft spec and implementation in Web
Services Toolkit available from IBM alphaWorks.  See the following link.



Hiroshi Maruyama
Manager, Internet Technology, Tokyo Research Laboratory

From: Joseph Reagle <> on 2001/12/19 07:24

Please respond to

Sent by:

To:   "David Orchard" <>
cc:   <>, "'xenc'" <>,
Subject:  Re: XMLP Comments to XMLE LC

On Friday 14 December 2001 19:01, David Orchard wrote:
> Can you repost the scenarios, and I at least guarantee that I will
> respond?

My "anonymous forwarder" contribution is

I welcome comments, modifications, and other scenarios. If folks pitch in
and we get a couple scenarios with some discussion on each from folks
familiar with xenc and xp, we can pull them together into a document.

> I understand why you would consider usage scenarios optional.  But
> another perspective is that if you ask me (speaking for myself, not xmlp)
> to review a doc and I say I don't understand how it works

The XML Encryption specification should explain how XML Encryption works.
It has an Overview with simple examples/scenarios:
If it doesn't sufficiently explain how to encrypt an element or element
content then we need to improve the spec.

Protocol requirements and scenarios are best known by XP folks. (I expect
my old cypherpunk imaginings are quite far removed from what people are
doing with SOAP today!) For instance, from [1] does anyone in your
community care about an anonymous remailer type service? From your
understanding of the XP domain will people want to encrypt payloads only,
headers, both? Do people want to recursively encrypt/process encrypted SOAP

blobs? (For instance, a SOAP payload is an EncrypedData, after you decrypt
it you have a complete SOAP message again in hand with its own header and

We need people from communities with their applications
requirements/scenarios in mind to then test those requirements/scenarios
with our specified functionality.

If anyone has scenarios or questions in mind please join and contribute to: .

  In Subject: (un)subscribe


Joseph Reagle Jr.       
W3C Policy Analyst      
IETF/W3C XML-Signature Co-Chair
W3C XML Encryption Chair

Received on Wednesday, 19 December 2001 04:32:56 UTC