- From: Mark Scherling <mscherling@xcert.com>
- Date: Mon, 23 Oct 2000 16:24:14 -0700
- To: Public XML Encryption List <xml-encryption@w3.org>
With reference to XML Encryption, Access Control should be viewed from two aspects: 1) Location or document access (coarse control) - where the user is granted access to the document using a standard method of ACL (password or PKI certificate). As an example document management systems such as Open Text, Documentum and PCDocs provide this type of access control. 2) Element access (fine control) - where access to specific content within a document is controlled. For XML encryption I believe that the second aspect must be addressed to ensure an understanding of how XML encryption will be linked to access control. I also believe that access control should be separate from XML because if access requirements change you would then have to change all XML documents that have access controls embedded. That would be a major mistake in designing XML encryption or access control for XML. For my approach the key point that is being presented is the use of element attributes instead of elements as a means of identifying elements that require encryption (Element Attribute Encryption Classification). This approach allows for a much higher granularity and preserves the integrity of the elements within the structure. What you use to identify the "encryption" attribute could be one of the components of the XML encryption working group. I used class (classification) in my example based on my background working in security with government and private industry. The use of a special "encryption" attribute would allow for the identification of an encrypted element but more important, will allow organizations to adapt their current security classification systems to XML. As an example if I have a current security classification system that has four levels I can specify that within my XML document such as: - title classification="public" - section1 classification="confidential" - section2 classification="sensitive" - section3 classification="executive only" The objective is not to specify a classification scheme but to provide flexibility in allowing organizations to use their current security classification scheme within the context of their information security requirements when migrating to XML. The approach should allow you to display document content to those who need to know as in a medical record where there are different components and different needs. This way you manage one document but satisfy multiple access requirements. This does not directly address access requirements but provides a method of dealing with them in XML encryption to solve two key issues: 1) granularity - Element Attribute Encryption Classification can have "n" levels of security classification where "n" = current/future security classification levels of any organization. 2) individually accessible elements - Element Attribute Encryption Classification can define multiple encryption levels within a single XML document. For XML Encryption the approach should consider the following assumptions: 1) you will need to parse the content at some point prior to sending/presenting it to the user 2) an authorization mechanism must be used to identify authorized users, their access rights and what content they are allowed to see 3) an encryption mechanism must be used to protect the content In the Digital Signature model the signator has control over the document creation. The signator decides when and if they will sign. In the XML Encryption model the user does not have control over document creation. The user is requesting information (document or documents). There needs to be some means of: - identifying that user, - verifying the access rights, - providing a means to identify the content that needs protection, and - a protection mechanism(encryption) so the identified user can gain access to the information but no one else can. For XML Encryption you still need a mechanism to identify the user such that the encrypted content can be decrypted. In PKI, the user's public key would encrypt the specified element and the user's private key would decrypt. The question is how do you identify a user such that the XML document element could be encrypted for that user without using some form of ACL?
Received on Monday, 23 October 2000 19:24:43 UTC