- From: Jim Schaad <jimsch5@home.com>
- Date: Wed, 3 Jan 2001 00:23:31 -0800
- To: "'Sanjeev Hirve'" <shirve@cyberelan.com>, "'xml-enc'" <xml-encryption@w3.org>
- Cc: "'Joseph M. Reagle Jr.'" <reagle@w3.org>
- Message-ID: <000601c0755e$7588d050$1500a8c0@soaringhawk.net>
This statement is about structure not about content. You are permitted to
take anc EncryptedData element, encrypted as the content of another
EncryptedData element. What is not allowed is to place a node labeled
EncryptedData within a node labeled EncryptedData.
Thus:
<EncryptedData>
......
<EncryptedData>
......
</EncryptedData>
....
</EncryptedData>
is disallowed not
<EncryptedData>
....
<CipherText> base64 of a an encrypted EncryptedData node goes
here</CipherText>
</EncrypteData>
jim
-----Original Message-----
From: xml-encryption-request@w3.org
[mailto:xml-encryption-request@w3.org]On Behalf Of Sanjeev Hirve
Sent: Tuesday, January 02, 2001 8:13 AM
To: xml-enc
Cc: Joseph M. Reagle Jr.
Subject: Qn about nested encryption
With ref to the proposal "XML encryption syntax and processing" v 1.0,
dated 2000/12/15, by Dillaway et al, I hav the following question.
Section 2.5 states that "..it is not valid to nest these objects, i.e., an
Encrypted Data may not be a child of an Encrypted Data."
I dont understand the reason behind this constraint.
Consider the case where a document is encrypted for multiple recipients.
It is reasonable requirement that recipient A is authorized to access an
element X and all its descendents, while recipient B may is authorized to
access the same element X less some of its descendents, say element Y.
A simple way to solve this is to first encrypt element Y with key K1, then
encrypt element X with key K2. A has access to K1 and K2 and must decrypt
elem X and then Y.
I think, the following memo:
http://lists.w3.org/Archives/Public/xml-encryption/2000Oct/att-0011/01-mypro
of-xml-encryption-position.html
also refers to the same issue.
regards
SSH
Received on Wednesday, 3 January 2001 09:55:13 UTC