W3C home > Mailing lists > Public > xml-encryption@w3.org > March 2001

RE: XML Encryption Data/Processing Model

From: Joseph M. Reagle Jr. <reagle@w3.org>
Date: Fri, 30 Mar 2001 17:19:16 -0500
Message-Id: <>
To: "John Boyer" <JBoyer@PureEdge.com>
Cc: "Hiroshi Maruyama" <MARUYAMA@jp.ibm.com>, <xml-encryption@w3.org>, <w3c-ietf-xmldsig@w3.org>, <Andy_Clark/Santa_Teresa/IBM@jp.ibm.com>
At 10:33 3/30/2001 -0800, John Boyer wrote:
>Your problem has little to do with a 'consistency' issue on C14N, and is
>trivially solvable.  The solution you are considering is fraught with
>problems.  Details below.

I fear that it is not trivially solvable, but it's not through any fault of 

>As to your practical problem, it does not appear to have a very
>difficult solution.  The fact that it is a sign-then-encrypt scenario
>does not mean you are restricted to two black box operations to be done
>in precisely that sequence.  If you know it is a sign then encrypt, then
>you should simply apply the C14N to the block to be encrypted, then
>affix the signature, then perform the encryption.

If you are a single signor-encryptor this works, but it doesn't if its two 
different parties. Consequently we need to define an encryption process that 
allows one to serialize and then encrypt some portion of a parsed document 
such that the decrypt leaves it in as untouched a state as possible:
         canonicalize(foo) == canonicalize(decrypt(encrypt(foo)))

>When you C14N the <el2enc> element, you are canonicalizing it outside of
>the context of its parent, so transferring the xml:lang into the element
>is necessary.  To wit, you may have an application scenario where you
>send only the encrypted blob (containing the scrambled version of the
><el2enc> element) to the holder of the appropriate private key.  The
>absence of xml:lang in such a case would be detrimental.

I think I agree with this: this is a fine behavior for canonicalizing prior 
to signature. But it is problematic as Hiroshi describes for serialization 
of the parsed XML that is about to be encrypted.

So in the relation, where foo is some parsed XML (a node or item), the bit 
is we need an XML serialization algorithm that maintains the identity:
         canonicalize(foo) == canonicalize(decrypt(encrypt(serialize(foo))))
the question we are considering is can serialize=canonicalize and Hiroshi 
has pointed out a case where this is problematic.

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Friday, 30 March 2001 17:19:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:13:02 UTC