Re: XMLP/XMLE Use cases and processing models

>> Questions
>> ----------
>> 1. I have anticipated that the intermediary has to know about the
>> receiver schema and must expose the "merged" schema or a schema without
>> the unencrypted credit card info to senders.  There is tight coupling
>> there, but how else would the intermediary know which messages and which
>> portions to decrypt?  Is this valid or does XMLE expect that a SOAP
>> encrypting/decrypting intermediary would not know about the receiver
>> schemas nor would it expose a "merged" schema?  This assumes the first
>> second solution in the processing requirements (3.2.2) [1].
>I'd be interested in some of the xenc implementors thoughts on this since
>they best know how they want to process the data. However, given my
>ignorance I could see a few options:
>1. The namespace is changed to indicate the change of the instance. This
>means you will have to have a namespace for every encrypted variant. This
>is probably fine for some applications (e.g., they know they only care
>about encrypting the credit-card data and nothing else so creating a new
>namespace and schema isn't very difficult.) Others may care less about
>validation and more about flexibility.
>2. One "pre-scan's" the document looking for xenc:* elements. For example,
>during parsing (e.g., XNI [1]) one could flag such instances that trigger
>subsequent action.
>3. The encryption is "baked" in to the application context. For instance,
>if you know that you'll be sending credit card data over an open network
>there needn't be choice between the credit card data in the plain and the
>encrypted form. The credit card is *always* sent encrypted and the
>recipient is always decrypted at the other end.
>4. Meta-data is used to indicate the some of the data has been encrypted.
>For instance, to make option 3 a little more flexible, one could create a
>SOAP confidentiality header that indicates a decryptor actor with
>In these options there are two issues: (1) how to know if parts of the
>document have been encrypted, (2) how to know which agent is supposed to
>the decryption.

These issues are not only ones of XML Encryption but can be ones of others.
So we should address them as generally and extensiblly as possible.  From
such a point of view, I think option 4 (e.g., [1]) looks the most


Tokyo Research Laboratory
IBM Research

Received on Tuesday, 12 February 2002 11:29:00 UTC