- From: Jim Schaad <jimsch5@home.com>
- Date: Wed, 3 Jan 2001 00:23:31 -0800
- To: "'Sanjeev Hirve'" <shirve@cyberelan.com>, "'xml-enc'" <xml-encryption@w3.org>
- Cc: "'Joseph M. Reagle Jr.'" <reagle@w3.org>
- Message-ID: <000601c0755e$7588d050$1500a8c0@soaringhawk.net>
This statement is about structure not about content. You are permitted to take anc EncryptedData element, encrypted as the content of another EncryptedData element. What is not allowed is to place a node labeled EncryptedData within a node labeled EncryptedData. Thus: <EncryptedData> ...... <EncryptedData> ...... </EncryptedData> .... </EncryptedData> is disallowed not <EncryptedData> .... <CipherText> base64 of a an encrypted EncryptedData node goes here</CipherText> </EncrypteData> jim -----Original Message----- From: xml-encryption-request@w3.org [mailto:xml-encryption-request@w3.org]On Behalf Of Sanjeev Hirve Sent: Tuesday, January 02, 2001 8:13 AM To: xml-enc Cc: Joseph M. Reagle Jr. Subject: Qn about nested encryption With ref to the proposal "XML encryption syntax and processing" v 1.0, dated 2000/12/15, by Dillaway et al, I hav the following question. Section 2.5 states that "..it is not valid to nest these objects, i.e., an Encrypted Data may not be a child of an Encrypted Data." I dont understand the reason behind this constraint. Consider the case where a document is encrypted for multiple recipients. It is reasonable requirement that recipient A is authorized to access an element X and all its descendents, while recipient B may is authorized to access the same element X less some of its descendents, say element Y. A simple way to solve this is to first encrypt element Y with key K1, then encrypt element X with key K2. A has access to K1 and K2 and must decrypt elem X and then Y. I think, the following memo: http://lists.w3.org/Archives/Public/xml-encryption/2000Oct/att-0011/01-mypro of-xml-encryption-position.html also refers to the same issue. regards SSH
Received on Wednesday, 3 January 2001 09:55:13 UTC