RE: XML Encryption strawman proposal from Ed Simon on 2000-08-24 (xml-encryption@w3.org from August 2000)

From: Ed Simon <ed.simon@entrust.com>
Date: Wed, 23 Aug 2000 22:38:55 -0400
To: "'Fikkert, Dick W.'" <Fikkert@fel.tno.nl>, xml-encryption@w3.org
Message-ID: <3120721CA75DD411B8340090273D20B10C1B73@sottmxs06.entrust.com>

Dick,

Would you  be able to post an example of what your encrypted XML looks like.
It would be useful to see both the plaintext and the protected version.  I'm
trying to get an idea of whether the current strawman accomodates your
application.

Ed
-----Original Message-----
From: Fikkert, Dick W. [mailto:Fikkert@fel.tno.nl]
Sent: Wednesday, August 23, 2000 8:28 PM
To: xml-encryption@w3.org
Subject: Re: XML Encryption strawman proposal


Just a comment on the introduction. We have 2 simple demonstrators
available for what we did call sXML (s for secure). The demonstrators
use element(s) wise encryption, concentrating on text nodes only. 
The issue we encountered was explaining customers what they could
do with it and how sXML should be positioned with regard to other
security measures. 

For that purpose we developed/wrote the following which may be of use
in the introduction:

Information security measures remain operative within defined borders.
For example, if SSL is used, a credit card number is secure only
during the transfer to a vendor's web site, as is the web page
containing it. As soon as the credit card number arrives at the web
server, SSL offers no security anymore. The reason for the breach in
security is because SSL's operation is 'bound to' communications
channels.

Our sXML technology offers a more comprehensive security. sXML offers
'Information Bound Security', security that is bound to the
information which is to be secured. As long as the information exists,
the information is secure. Furthermore sXML works at the information
level, rather than at a page, form or file as a whole.

For example, on a given web page, the credit card number and the
ordering information secured by sXML are safe, whether stored on a web
server, transmitted to a vendor or processed. Furthermore, only the
bank can access the credit card number, both the bank and the merchant
can access address information, and only the merchant can access items
ordered.

(B.t.w. the difference between our 2 demonstrators is the extent to
which they really offer Information Bound Security: One for example
retains security measures within a page even if the decrypted web page 
is e-mailed by 'file send' in IE) 

Hope this is useful.
Dick

Received on Wednesday, 23 August 2000 22:43:42 UTC