Encryption Syntax and Processing note

I have found the section on Non-nesting EncryptedData and EncryptedKey confusing
(2.5)

Regarding EncryptedData, I think it is clear that nested encryption operations
are possible, that an element containing encrypted data may be subsequently
encrypted. I think what the section says is that a subsequent encryption will
include all the element content, and thus there will always only be one
EncryptedData element, and the schema does not allow nesting of the elements.
The reason is that the ciphertext always includes enclosed EncryptedData as part
of the new ciphertext (it is all coalesced if you will).

I am having trouble understanding why nested EncryptedKey elements is not
allowed. An example is given where the key used to encrypt the first
EncryptedKey is specified in a second EncryptedKey element. Why should they not
be nested? Instead it looks like a URI pointer to another element is required,
even though it makes sense for this scenario to include one in the another.

Received on Tuesday, 27 February 2001 17:27:54 UTC