RE: proposed approach to XML encryption

I think that XML Encryption basically aims at providing a specification
for encrypting and decrypting element(s) in an XML document. Thus it should
be primitive and fundamental operations like digital signature in the sense
that
the encryption function and signature function might be called
interchangeably
from higher-level functions or applications in order to guarantee
confidentiality
property as well as integrity and non-repudiation property.

Thus my feeling is that, as a first step XML Encryption should be defined
separately
from the authorization issues (except for that are considered as a MUST.)

As for XML access control (XACL), please refer to the following URL:
http://www.trl.ibm.co.jp/projects/xml/doccont/xacl_e.htm
We will release our latest specification and implementation of the XML
Access
Control technology from IBM's alphaworks site soon.

Regards,
Michiharu Kudo
Internet Technology              TEL +81-46-215-4642
Tokyo Research Laboratory    FAX +81-46-273-7428
IBM Japan Ltd.                      Internet: kudo@jp.ibm.com


From: Ed Simon <ed.simon@entrust.com> on 2000/10/21 05:38

To:   "'Mark Scherling'" <mscherling@xcert.com>, Public XML Encryption List
      <xml-encryption@w3.org>
cc:   rnd@xcert.com (bcc: Michiharu Kudoh/Japan/IBM)
Subject:  RE: proposed approach to XML encryption




I definitely think that XML Encryption needs to be designed with
authorization in mind BUT more in the sense that XML Encryption
needs to be flexible enough to support it rather than us trying
to build authorization and access control mechanisms directly into
XML Encryption.

In other words, we must ensure that XML Encryption can be used
by authorization applications but authorization need not be
designed into XML Encryption except perhaps as one of the mechanisms
for retrieving the decryption key for a specific node.  Part of my
presentation at Lafayette will look at authorization scenarios much l
ike the one described in your document.  (I'm also particularly keen to
see XML Encryption work hand-in-hand with XSLT.)

If you could contrast and compare your work with the approaches
from the University of Milan (see
"http://lists.w3.org/Archives/Public/xml-encryption/2000Aug/0013.html")
and IBM Tokyo's XML Access Control Language (anyone got a link, I can't
seem to find a good one) that might be useful.

Regards, Ed

-----Original Message-----
From: Mark Scherling [mailto:mscherling@xcert.com]
Sent: Friday, October 20, 2000 4:10 PM
To: Public XML Encryption List
Cc: rnd@xcert.com
Subject: proposed approach to XML encryption


Attached is a proposed approach that could be used to identify and
encrypt content.  It is recognized that some content within certain
documents (i.e. medical records) must be view able by different groups
with different needs.  The problem is to identify the group, the content
they need and to ensure that access is restricted to that content is
restricted.  The proposed example includes a simple example of a medical
record with an approach using element attributes to identify different
elements that require protection from unauthorized users.  The objective
is to provide individually accessible elements to meet the needs for
diverse access requirements.

Please feel free to comment on the approach and I would be happy to
present the concept at the next working group session on November 2.

Cheers
Mark Scherling
Xcert International Inc.
(604) 640-6210 Ext. 349