- From: Joseph Reagle <reagle@w3.org>
- Date: Wed, 6 Feb 2002 11:57:42 -0500
- To: "David Orchard" <david.orchard@bea.com>, "'xenc'" <xml-encryption@w3.org>, <www-xenc-xmlp-tf@w3.org>, <xml-dist-app@w3.org>
- Cc: <maruyama@jp.ibm.com>, <imamu@jp.ibm.com>
Hi David, thank you very much for this! On Wednesday 06 February 2002 00:07, David Orchard wrote: > Use case #1: SOAP decrypting intermediary > The steps that the soap decrypting node might go through - assuming that > every step passes validation - are: > 1. Receive the message. > 2. Validate the message with the encrypted content. > 3. Decrypt the encrypted content. > 4. Forward the message to the ultimate receiver. For my own info, since the SOAP spec doesn't permit schema validation to be "imposed" on any SOAP node, do you think schema validation will be an integral part of SOAP processing in the near term? > Questions > ---------- > 1. I have anticipated that the intermediary has to know about the > receiver schema and must expose the "merged" schema or a schema without > the unencrypted credit card info to senders. There is tight coupling > there, but how else would the intermediary know which messages and which > portions to decrypt? Is this valid or does XMLE expect that a SOAP > encrypting/decrypting intermediary would not know about the receiver > schemas nor would it expose a "merged" schema? This assumes the first or > second solution in the processing requirements (3.2.2) [1]. I'd be interested in some of the xenc implementors thoughts on this since they best know how they want to process the data. However, given my ignorance I could see a few options: 1. The namespace is changed to indicate the change of the instance. This means you will have to have a namespace for every encrypted variant. This is probably fine for some applications (e.g., they know they only care about encrypting the credit-card data and nothing else so creating a new namespace and schema isn't very difficult.) Others may care less about validation and more about flexibility. 2. One "pre-scan's" the document looking for xenc:* elements. For example, during parsing (e.g., XNI [1]) one could flag such instances that trigger subsequent action. 3. The encryption is "baked" in to the application context. For instance, if you know that you'll be sending credit card data over an open network there needn't be choice between the credit card data in the plain and the encrypted form. The credit card is *always* sent encrypted and the recipient is always decrypted at the other end. 4. Meta-data is used to indicate the some of the data has been encrypted. For instance, to make option 3 a little more flexible, one could create a SOAP confidentiality header that indicates a decryptor actor with mustUnderstand="1". In these options there are two issues: (1) how to know if parts of the document have been encrypted, (2) how to know which agent is supposed to do the decryption. [1] http://xml.apache.org/xerces2-j/xni.html > 2. Should the encrypted message use the same namespace name as the > unencrypted message IF the schema does not allow the encrypted content? > I tend to think no, as URIs in namespace names tend to include versions > and be very specific. That means that there should be different > namespace names for the encrypted versus unencrypted content. In the > processing requirements, 3.2.1, there is no mention of whether > preserving the original definitions namespace name should or should not > be done. This is an option, however I think changing the namespace (knowing what the new namespace would be) would have to be done by the app: it knows what the new namespace would be. In xenc we have specified that the xmlenc application in its "decryptor" role SHOULD support the ability to replace the EncryptedData with its decrypted form (the application MUST support this) in the original document but at this level we are only doing XML 1.0 character replacement. The WG has been insistent that it's not up to the encryption application to do validation [2], nor any other Infoset cleanup -- in fact xenc doesn't address Infoset at all. xenc is [XML 1.0] based. [2] http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/Overview.html#sec-Processing-Decryption 4.3. The decryptor SHOULD support the ability to replace the EncryptedData element with the decrypted 'element' or element 'content' represented by the UTF-8 encoded characters. The decryptor is NOT REQUIRED to perform validation on the result of this replacement operation. The application supplies the XML document context and identifies the EncryptedData element being replaced. If the document into which the replacement is occurring is not UTF-8, the decryptor MUST transcode the UTF-8 encoded characters into the target encoding. However, this could pose problems for [3], that permits one to use xmldsig and xenc together such that you can create a signature that says, "in order to validate me decrypt all xenc:EncryptedData's except these {foo,...}." We haven't specified a way to say, "in order to validate me decrypt the xenc:EncrpytedData's first and also change my namespace." Also, if I have multiple encryptions in a compound document, there'd potentially a whole history of namespace I'd have to roll-back as I do the processing. [3] http://www.w3.org/Encryption/2001/Drafts/xmlenc-decrypt.html > 4. Given the first solution in the processing requirements 3.2.2, a > problem emerges. The first recipient REQUIRES the encryption to be in > force, and that the second recipient REQUIRES the credit card. Yet the > schema allows both. Could the XMLE give guidance on when to use the > first solution versus the second solution (separate schemas)? Maybe this > is one area where an XMLP/XMLE liaison could give guidance, ie "when > using intermediaries and multiple validation phases, provide 2 separate > schemas" As I indicated in my option 3 above, *if* one was changing the namespace and creating a new schema, I'd prefer that there be two namespaces with two schemas instead of a single scheme that permits a choice between the plaintextform and encrypted form. 1. Two namespaces/schemas are unambiguous, this helps indicate what processing is expected. 2. If the structure of the data itself is important, one can keep the plaintext form of the schema in a secure zone of processing. > 2.1 - the Name/ should be /Name. Thanks, fixed in: http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/ $Revision: 1.128 $ on $Date: 2002/02/06 16:21:05 $ -- Joseph Reagle Jr. http://www.w3.org/People/Reagle/ W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/ W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Wednesday, 6 February 2002 11:58:04 UTC