Kudos and Comments on XML Encryption Requirements working draft from Eric Miller on 2001-04-23 (xml-encryption@w3.org from April 2001)

From: Eric Miller <em@w3.org>
Date: Mon, 23 Apr 2001 12:32:34 -0400 (EDT)
To: Joseph Reagle <reagle@w3.org>
Cc: xml-encryption@w3.org
Message-Id: <5.0.2.1.2.20010423122234.02908a18@localhost>
XML-encryption WG,

Congratulations! on issuing:

XML Encryption Requirements working draft
http://www.w3.org/TR/2001/WD-xml-encryption-req-20010420

Joseph, per your request,
[[[
Please send comments to the editor <reagle@w3.org> and cc: the list 
xml-encryption@w3.org (archives)
]]]
--- http://www.w3.org/TR/2001/WD-xml-encryption-req-20010420

the following is a brief review of this document.

Caveat:

- I am not an expert in XML Encryption. My specific focus in
reviewing this is to learn more about this work, and understand better
how XML Encryption and Signatures can be leveraged to support the
"Web of Trust" construct that will be an increasingly important part
of the Semantic Web Activity.

Specific Comments:

Section 1, Item 1:

"The XML representation of the encrypted resource must be a first
class object (i.e., referenced) and represented by a distinct element
type."

and then later...

Section 1, Item 1, SubItem 1:

"Granularity of encryption is limited to an element (including
start/end tags) or element content (between the start/end tags)."

- Question/Clarification: So for clarity (perhaps only in my mind?)
every resource, and element, and element content must be uniquely
identifiable.  Is so, please make explicit, if not, please clarify.

Section 2, Item 1:

"1.It must be possible to indicate the original type (i.e., XML CData,
image/gif) of the encrypted data to aid the decryptor in processing
it.  For non-XML data, existing MIME type definitions [MIME] should be
used."

- Question/Clarification: If it is possible to encrypt to the
granularity of element or element content, is the MIME type to be
assumed to be the encapsulating resource? Or can this be something
different?

Section 2, Item 3:

"3.The specification must allow super-encryption of data (i.e,,
encrypting XML in which some elements are already encrypted). {prop1,
prop2}Super-encrpted data must use the same syntax and semantics as
any other encrypted data."

- s/i.e,,/i.e.,
- s/Super-encrpted/Super-encrypted

- Question/Clarification: I'm assuming here this is akin to
RDF/Semantic Web's notion of "one persons metadata is another persons
data"?  In that one could imagine, for example, this notion of
super-encryption applying to an individual encrypting individual files
in a directory, and then someone else encrypting (perhaps even using a
different algorithm) the entire directory.  Correct?  If so, this has
interesting overlap/implications/relationships with the Semantic Web
community.

Section 2, Item 5:

"5.The specification must define a minimal set of algorithms and key
structures necessary for interoperability purposes. {Reagle}"

- I would additionally suggest include the capabilities of formally
extending this set of algorithms and key structures.

Section 3, Item 1:

"The WG is still working on this issue in the context of our XML
processing model and its relationship to tree and event based
parsers."

- I would include the suggestion of additional coordination with the
larger XML Activity regarding to processing model.

Section 3, Subsection 1, Item 2:

"1.When a non-XML object (i.e., external data) is encrypted, the
information necessary to aid the recipient in decrypting the object is
captured in an instance of XML."

- Question/Clarification: What does this information necessary to aid
the recipient in decrypting the object look like?  Is this a separate
metadata file?  If so, what are the minimal characteristics required
for decryption?

Section 3, Subsection 2, Item 1:

"(i.e., XML CData, image/gif)"

- s/CData/CDATA

Section 4, Item 2:

"2.The specification must specify or reference one mandatory to
implement algorithm for only the most common application scenarios. "

- Suggestion/Comment: I would suggest giving these algorithms URIs to
minimize potential ambiguity.

Section 6:

"To ensure the above requirements are adequately addressed, the XML
Encryption specification must be reviewed by a designated member of
the following communities:"

--
eric miller                              http://www.w3.org/people/em/
semantic web activity lead               mailto:em@w3.org
w3c world wide web consortium            tel:1.614.763.1100 (work-ohio)
200 technology square, ne43-350          tel:1.617.258.5714 (work-mit)
cambridge, ma 02139 usa                  fax:1.617.258.5999 (fax-mit)
Received on Monday, 23 April 2001 12:44:58 UTC