- From: Ed Simon <ed.simon@entrust.com>
- Date: Thu, 11 Jan 2001 17:24:48 -0500
- To: "'xml-encryption@w3.org'" <xml-encryption@w3.org>
- Message-ID: <A0E1DEC54ED42F4884DD9EEA00ACE37106D0B1@sottmxs08.entrust.com>
You are right in that in my phrasing of Blair's recommendation, there is no need for attribute encryption because applications will be forced not to use attributes for sensitive data. The difficulty is that some XML system designers find it UNacceptable to be forced not to use attributes. A response, not necessarily Blair's response, to this has been that XML system designers can then add in their own transform to convert attributes to elements and then use XML Encryption. My response to that response is "if XML Encryption doesn't allow a plaintext original to be reconstructed from its ciphertext in a non-proprietary way, its usefulness seems very limited to me". Sure XML Encryption will allow the post-transform plaintext to be reconstructed but not the actual original plaintext. If the WG decides that people will want to put sensitive data in attributes, and given that specifying a uniform way of encrypting attributes is possible, why not do it? Ed -----Original Message----- From: Thane Plambeck [mailto:tplambeck@verisign.com] Sent: Thursday, January 11, 2001 4:02 PM To: 'xml-encryption@w3.org' Subject: RE: Attribute encryption & Blair's message If Blair's recommendation (as interpreted below) is taken, what is the need for attribute encryption, since the sensitive data will be recast into elements anyway? Thane Plambeck tplambeck@verisign.com http://www.verisign.com <http://www.verisign.com/> 650 429 5247 direct, Mt View Office 650 321 4884 home office 650 323 4928 home office fax -----Original Message----- From: Ed Simon [mailto:ed.simon@entrust.com] Sent: Thursday, January 11, 2001 12:30 PM To: 'xml-encryption@w3.org' Subject: RE: Attribute encryption & Blair's message As I understood things, Blair didn't say "if you want to encrypt an attribute, encrypt the element that contains it", I thought it was more along the lines of "if an existing XML system wants to use XML Encryption, it will need to modify schemas so that they recognize certain XML Encryption elements; if XML Encryption is to be introduced into a system where attributes contain sensitive data, then the schema, which has to updated anyway, should put that sensitive data in elements rather than attributes". (Blair, please let the list know if I've misinterpreted you.) But anyway, what is wrong with saying if you want to encrypt an attribute, encrypt the element that contains it? What's wrong is that the element and its contents and other attributes may contain information that is not sensitive and therefore does not need to be encrypted. By leaving that data unencrypted, applications which need it do not need to, unnecessarily, have access to decryption keys, which enhances overall security. XML Encryption is important not just for what it can encrypt, but for what it can leave unencrypted (tm-Ed Simon ;-}). If we resolve that there is a requirement to encrypt attribute values, to me the question comes down to whether Option 1: XML Encryption specifies a consistent, broadly applicable way of encrypting attributes OR Option 2: individual applications design their own way of encrypting attributes, eg. converting the attributes to child elements and encrypting those like regular elements; XML Encryption will not specifically cover attributes. I like option 1 because it means that any application that has access to the decryption keying material can reconstruct the plaintext original. Outside of the argument that there is no sufficient requirement to encrypt attribute values, It seems to me that all the arguments raised against option 1 apply equally to encrypt whole elements and element content as well. If so, then one would deduce that XML Encryption should really only cover the definition of the <DecryptionInfo> element. Seriously, if XML Encryption doesn't allow a plaintext original to be reconstructed from its ciphertext in a non-proprietary way, its usefulness seems very limited to me. Ed -----Original Message----- From: Thane Plambeck [mailto:tplambeck@verisign.com] Sent: Thursday, January 11, 2001 1:48 PM To: xml-encryption@w3.org Subject: RE: Attribute encryption & Blair's message What's wrong with saying if you want to encrypt an attribute, encrypt the element that contains it? I'm still waiting for a good example why the additional application complexity of selective encryption of attributes inside elements is needed; ie, I await an explicit response to the questions and response on this topic posed in Blair Dillaway's most recent message to this list. Thane Plambeck tplambeck@verisign.com http://www.verisign.com <http://www.verisign.com/> 650 429 5247 direct, Mt View Office 650 321 4884 home office 650 323 4928 home office fax
Received on Thursday, 11 January 2001 17:27:51 UTC