Re: XML Encryption strawman proposal

Just a comment on the introduction. We have 2 simple demonstrators
available for what we did call sXML (s for secure). The demonstrators
use element(s) wise encryption, concentrating on text nodes only. 
The issue we encountered was explaining customers what they could
do with it and how sXML should be positioned with regard to other
security measures. 

For that purpose we developed/wrote the following which may be of use
in the introduction:

Information security measures remain operative within defined borders.
For example, if SSL is used, a credit card number is secure only
during the transfer to a vendor's web site, as is the web page
containing it. As soon as the credit card number arrives at the web
server, SSL offers no security anymore. The reason for the breach in
security is because SSL's operation is 'bound to' communications

Our sXML technology offers a more comprehensive security. sXML offers
'Information Bound Security', security that is bound to the
information which is to be secured. As long as the information exists,
the information is secure. Furthermore sXML works at the information
level, rather than at a page, form or file as a whole.

For example, on a given web page, the credit card number and the
ordering information secured by sXML are safe, whether stored on a web
server, transmitted to a vendor or processed. Furthermore, only the
bank can access the credit card number, both the bank and the merchant
can access address information, and only the merchant can access items

(B.t.w. the difference between our 2 demonstrators is the extent to
which they really offer Information Bound Security: One for example
retains security measures within a page even if the decrypted web page 
is e-mailed by 'file send' in IE) 

Hope this is useful.

Received on Wednesday, 23 August 2000 20:33:44 UTC