RE: Attribute encryption & Blair's message

As I understood things, Blair didn't say "if you want to encrypt an
attribute, encrypt the element 
that contains it", I thought it was more along the lines of "if an existing
XML system wants to use
XML Encryption, it will need to modify schemas so that they recognize
certain XML Encryption
elements; if XML Encryption is to be introduced into a system where
attributes contain sensitive 
data, then the schema, which has to updated anyway, should put that
sensitive data in elements
rather than attributes".  
 
(Blair, please let the list know if I've misinterpreted you.)
 
But anyway, what is wrong with saying if you want to encrypt an attribute,
encrypt the element 
that contains it?  What's wrong is that the element and its contents and
other attributes may
contain information that is not sensitive and therefore does not need to be
encrypted.  By leaving
that data unencrypted, applications which need it do not need to,
unnecessarily, have access to 
decryption keys, which enhances overall security.
 
XML Encryption is important not just for what it can encrypt, but for what
it can leave unencrypted
(tm-Ed Simon ;-}).
 
If we resolve that there is a requirement to encrypt attribute values, to me
the question comes 
down to whether 
Option 1:  XML Encryption specifies a consistent, broadly applicable way of
encrypting attributes 
OR
Option 2:  individual applications design their own way of encrypting
attributes, eg. converting the
attributes to child elements and encrypting those like regular elements; XML
Encryption will
not specifically cover attributes.
 
I like option 1 because it means that any application that has access to the
decryption keying
material can reconstruct the plaintext original.
 
Outside of the argument that there is no sufficient requirement to encrypt
attribute values,
It seems to me that all the arguments raised against option 1 apply equally
to encrypt whole elements and element content as well.  If so, then one
would deduce that XML
Encryption should really only cover the definition of the <DecryptionInfo>
element.  Seriously,
if XML Encryption doesn't allow a plaintext original to be reconstructed
from its ciphertext
in a non-proprietary way, its usefulness seems very limited to me.
 
Ed
 
 -----Original Message-----
From: Thane Plambeck [mailto:tplambeck@verisign.com]
Sent: Thursday, January 11, 2001 1:48 PM
To: xml-encryption@w3.org
Subject: RE: Attribute encryption & Blair's message



What's wrong with saying if you want to encrypt an attribute, encrypt the
element
that contains it?  I'm still waiting for a good example why the additional
application complexity
of selective encryption of attributes inside elements is needed; ie, I await
an explicit
response to the questions and response on this topic
 posed in Blair Dillaway's most recent message to this list.
 
 Thane Plambeck 
tplambeck@verisign.com 
http://www.verisign.com <http://www.verisign.com/>  
650 429 5247 direct, Mt View Office 
650 321 4884 home office 
650 323 4928 home office fax 

 

Received on Thursday, 11 January 2001 15:33:20 UTC