Re: R: R: proposed approach to XML encryption

At 02:06 10/24/2000 +0200, Ernesto Damiani wrote:
>Looking at the agenda of the encryption workshop I feel confirmed in
>the opinion that there is quite a lot of interaction between XML access
>control and encryption requirements..

Ernesto,

It appears that any future _encryption_ activity would be well served by 
clearly distinguishing between encryption (how to encrypt a node), 
authentication (verification of the identity of a person or process), and 
authorization (permissions) [1] from the out start.

[1] http://www.ietf.org/rfc/rfc2828.txt
$ encrypt (I) Cryptographically transform data to produce ciphertext.
$ authenticate (I) Verify (i.e., establish the truth of) an identity claimed 
by or for a system entity. (See: authentication.)
$ authorization (1.) An "authorization" is a right or a permission that is 
granted to a system entity to access a system resource.

>Unfortunately, it seems to be a bit late for us to start planning to attend
>the workshop ( just to listen :-) ).. Anyway, I'll be looking forward to
>reading the papers ..

You were correct in your reading of the Workshop call, authorization is not 
in scope [2]. So I don't think you'll miss anything on that front. However, 
we'll take a some time to understand these differences, and if there's any 
special requirements we need to account for. Regardless, I expect given all 
the interest in authentication and authorization that whatever encryption 
does, it will be watched closely and will support/enable/co-exist with such 
systems.

[2] http://www.w3.org/2000/09/XML-Encryption-Workshop.html
Related topics that are not part of XML Encryption (though they may provide 
requirements as an application) are:
·       XML Access Control Policies: specifying policies and mechanisms 
beside encryption that control access to XML content.


__
Joseph Reagle Jr.
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/People/Reagle/