W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2001

RE: Qn about nested encryption

From: Jim Schaad <jimsch5@home.com>
Date: Wed, 3 Jan 2001 00:23:31 -0800
To: "'Sanjeev Hirve'" <shirve@cyberelan.com>, "'xml-enc'" <xml-encryption@w3.org>
Cc: "'Joseph M. Reagle Jr.'" <reagle@w3.org>
Message-ID: <000601c0755e$7588d050$1500a8c0@soaringhawk.net>
This statement is about structure not about content.  You are permitted to
take anc EncryptedData element, encrypted as the content of another
EncryptedData element.  What is not allowed is to place a node labeled
EncryptedData within a node labeled EncryptedData.


is disallowed not

  <CipherText> base64 of a an encrypted EncryptedData node goes

  -----Original Message-----
  From: xml-encryption-request@w3.org
[mailto:xml-encryption-request@w3.org]On Behalf Of Sanjeev Hirve
  Sent: Tuesday, January 02, 2001 8:13 AM
  To: xml-enc
  Cc: Joseph M. Reagle Jr.
  Subject: Qn about nested encryption

  With ref to the proposal "XML encryption syntax and processing" v 1.0,
dated 2000/12/15, by Dillaway et al, I hav the following question.
  Section 2.5 states that "..it is not valid to nest these objects, i.e., an
Encrypted Data may not be a child of an Encrypted Data."
  I dont understand the reason behind this constraint.
  Consider the case where a document is encrypted for multiple recipients.
It is reasonable requirement that recipient A is authorized to access an
element X and all its descendents, while recipient B may is authorized to
access the same element X less some of its descendents, say element Y.
  A simple way to solve this is to first encrypt element Y with key K1, then
encrypt element X with key K2.  A has access to K1 and K2 and must decrypt
elem X and then Y.

  I think, the following memo:

  also refers to the same issue.

Received on Wednesday, 3 January 2001 09:55:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:13:01 UTC