- From: Blair Dillaway <blaird@microsoft.com>
- Date: Thu, 11 Jan 2001 14:39:53 -0800
- To: "'Thane Plambeck'" <tplambeck@verisign.com>, "'xml-encryption@w3.org'" <xml-encryption@w3.org>
- Message-ID: <AA19CFCE90F52E4B942B27D4234963790120AFA7@red-msg-01.redmond.corp.microsoft.com>
Thane's comment is pretty much in line with my thinking. I remain unconvinced that there is sufficient value in encrypting only attribute values, while trying to maintain some similarity to the original schema. I simply don't buy the argument that recipients of such encrypted docs can do meaningful and robust interpretation of the containing elements while ignoring the cipher text and encryption information. If the recipient only understands the original schema, then the encrypted document in invalid. On what basis should they decide to ignore improperly encoded and/or extraneous data within an element? Simply ignoring everything you don't understand in an element, while assuming the rest is something you do understand, seems incredibly brittle and error prone. Robust processing of encrypted docs implies knowledge of the schema against which the encrypted document is valid. Hence, moving sensitve attribute info into child elements for those few apps that only want the attribute encrypted, doesn't seem that onerous to me. Especially if it signficantly simplifies building encryption/decryption processors. BTW, I am still open to changing my mind on this if we can identify applications where the value of attribute only encryption justifies the complexity. -----Original Message----- From: Thane Plambeck [mailto:tplambeck@verisign.com] Sent: Thursday, January 11, 2001 1:02 PM To: 'xml-encryption@w3.org' Subject: RE: Attribute encryption & Blair's message If Blair's recommendation (as interpreted below) is taken, what is the need for attribute encryption, since the sensitive data will be recast into elements anyway? Thane Plambeck tplambeck@verisign.com http://www.verisign.com <http://www.verisign.com/> 650 429 5247 direct, Mt View Office 650 321 4884 home office 650 323 4928 home office fax -----Original Message----- From: Ed Simon [mailto:ed.simon@entrust.com] Sent: Thursday, January 11, 2001 12:30 PM To: 'xml-encryption@w3.org' Subject: RE: Attribute encryption & Blair's message As I understood things, Blair didn't say "if you want to encrypt an attribute, encrypt the element that contains it", I thought it was more along the lines of "if an existing XML system wants to use XML Encryption, it will need to modify schemas so that they recognize certain XML Encryption elements; if XML Encryption is to be introduced into a system where attributes contain sensitive data, then the schema, which has to updated anyway, should put that sensitive data in elements rather than attributes". (Blair, please let the list know if I've misinterpreted you.) But anyway, what is wrong with saying if you want to encrypt an attribute, encrypt the element that contains it? What's wrong is that the element and its contents and other attributes may contain information that is not sensitive and therefore does not need to be encrypted. By leaving that data unencrypted, applications which need it do not need to, unnecessarily, have access to decryption keys, which enhances overall security. XML Encryption is important not just for what it can encrypt, but for what it can leave unencrypted (tm-Ed Simon ;-}). If we resolve that there is a requirement to encrypt attribute values, to me the question comes down to whether Option 1: XML Encryption specifies a consistent, broadly applicable way of encrypting attributes OR Option 2: individual applications design their own way of encrypting attributes, eg. converting the attributes to child elements and encrypting those like regular elements; XML Encryption will not specifically cover attributes. I like option 1 because it means that any application that has access to the decryption keying material can reconstruct the plaintext original. Outside of the argument that there is no sufficient requirement to encrypt attribute values, It seems to me that all the arguments raised against option 1 apply equally to encrypt whole elements and element content as well. If so, then one would deduce that XML Encryption should really only cover the definition of the <DecryptionInfo> element. Seriously, if XML Encryption doesn't allow a plaintext original to be reconstructed from its ciphertext in a non-proprietary way, its usefulness seems very limited to me. Ed -----Original Message----- From: Thane Plambeck [mailto:tplambeck@verisign.com] Sent: Thursday, January 11, 2001 1:48 PM To: xml-encryption@w3.org Subject: RE: Attribute encryption & Blair's message What's wrong with saying if you want to encrypt an attribute, encrypt the element that contains it? I'm still waiting for a good example why the additional application complexity of selective encryption of attributes inside elements is needed; ie, I await an explicit response to the questions and response on this topic posed in Blair Dillaway's most recent message to this list. Thane Plambeck tplambeck@verisign.com http://www.verisign.com <http://www.verisign.com/> 650 429 5247 direct, Mt View Office 650 321 4884 home office 650 323 4928 home office fax
Received on Thursday, 11 January 2001 19:13:25 UTC