RE: Latest Rough Draft

Jim,

>> > > 9. There's an ambiguity in the use of KeyInfo in
>> > > EncryptedData and EncryptedKey:
>> > > does the KeyInfo relate to the key used to encipher or
>> decipher? The
>> > > description of EncryptedType says the former, which is fine,
>> > > and probably
>> > > correct, but 3.4 refers to the key for decrypting. Hopefully,
>> > > just a matter
>> > > of text, but possibly confusing later if we're not careful.
>> >
>> > KeyInfo always refers to the key used for decipher.  See
>> the note on NameKey
>> > above.
>>
>> Isn't that wrong? An X.509 cert (and other ds:KeyInfo cases) contains
>> the enciphering key in this context.
>
>I was refering to the case of keyInfo being used in EncryptedData and
>EncryptedKey.  If you want to look at KeyInfo in a general case, it
contains
>a key (or instructions on how to get a key).  Nothing is said about the
use
>or type of the key contained therein.  It could be Signing, Decryption,
>Authentication, a second key for key agreement algorithms.  KeyInfo just
>holds something that can be turned into a key

I believe that X.509 certificates may be contained in the KeyInfo element
being used in the EncryptedData or EncryptedKey element.

KeyInfo is the element that contains information to obtain a key in a
context.  In the context of XML Encryption, the key is a decryption key.
Note that the key may be obtained directly or indirectly.  This means that
the KeyInfo element may contain an identifier for a decryption key itself,
an encryption key, or a key pair, depending on applications, and if an
identifier for an encryption key is contained (e.g., by using a ds:X509Data
element), a recipient has to identify the encryption key first and then
obtain the corresponding decryption key.

Thanks,
Takeshi IMAMURA
Tokyo Research Laboratory
IBM Research
imamu@jp.ibm.com

Received on Thursday, 26 April 2001 04:08:01 UTC