Re: Comments on the 6 Apr Draft from Takeshi Imamura on 2001-05-08 (xml-encryption@w3.org from May 2001)

From: Takeshi Imamura <IMAMU@jp.ibm.com>
Date: Tue, 8 May 2001 17:22:39 +0900
To: "Blair Dillaway" <blaird@microsoft.com>
Cc: <xml-encryption@w3.org>
Message-ID: <OF049BB0D5.57EBB0D5-ON49256A46.002ABE9F@LocalDomain>
Blair,

>I believe this will also
>allow us to describe encryption of an entire XML document without
>introducing another special case.  In the document case, the collection
>of sibling XML Nodes to be encrypted/decrypted may include processing
>instructions, comments, namespace declarations, etc. in addition to the
>root Xml Element.

I believe, though the distinction between "Element" and
"ElementChildNodeList" may be eliminated into something like "NodeList",
the distinction between the "NodeList" and "Document" should not be
eliminated.  This is because a document may also contain a document type
declaration and so it cannot be processed (i.e., deserialized or
unmarshaled) in the same way as a node list.

Thanks,
Takeshi IMAMURA
Tokyo Research Laboratory
IBM Research
imamu@jp.ibm.com



From: "Blair Dillaway" <blaird@microsoft.com>@w3.org on 2001/05/05 01:50 AM

Please respond to "Blair Dillaway" <blaird@microsoft.com>

Sent by:  xml-encryption-request@w3.org


To:   <xml-encryption@w3.org>
cc:
Subject:  Comments on the 6 Apr Draft



Below are comments on the latest rought draft.  I've tried not to repeat
issues/problems already posted by others.

2. - In the example, it shows a CipherData element with a URI attribute
and an 'encrypted' value.  Mixing these together doesn't track with
proposed syntax. The expectation is that one has an element with a URI
reference and optional Transforms, or the actual encrypted data as
base64Binary.  We've discussed separating these two constructs out as
separate types.  I assume once this is done we can clean up the example.

2.1.1 - in the example, the CipherData closing tag has an 'enc' prefix
while the opening tag doesn't and the 'enc' prefix isn't specified.  The
prefix should be removed.

3.1 - The text (paragraph 3) states "KeyInfo is an optional element,
defined by [XMLDSIG], ...".  While correct, the EncryptedType schema
includes a KeyInfo element defined in the Encryption namespace, not the
DSIG namespace.  One would presumably need to read the complete schema
to find out how DSIG KeyInfo and Encryption KeyInfo relate.  If we stick
with this schema then the text should be updated to explain the
relationship.

3.4 - under bullet item 1.1.2, the text should be "... indicate a key
known ..." not "... indicate a key know ..."

3.4.2 - Here is my suggested re-write of the textual material in this
section.  The schema fragment should remain as is.

The KeyRetrievalMethod element provides a way to express a link to an
EncryptedKey element containing the key needed to decrypt the CipherData
associated with an EncryptedData or EncryptedKey element.  The
KeyRetrievalMethod  is always a child of the enc:KeyInfo element and may
appear multiple times.  If there is more than one instance of a
KeyRetievalMethod in a KeyInfo, then the EncryptedKey objects referred
to must contain the same key value, possibly encrypted in different ways
or for different recipients.

     <existing  schema fragment>

KeyRetrievalMethod uses similar syntax and dereferencing behavior to the
RetrievalMethod element in [XMLDSIG], except the type attribute is
implicitly of type EncryptedKey.

4.  I would like to suggest we eliminate the distinction between an
encrypted "Element" and "Element ChildNodeList" in this discussion.  The
rules can be generalized, when encrypting/decrypting XML information, to
the case that we have an ordered collection of one or more sibling XML
Nodes.  The "Element" type processing is simply the degenerate case
where the collection contains a single Xml Node (and its children) that
is of type Element.  This can be processed in the same manner as the
case where we have multiple sibling Nodes.  I believe this will also
allow us to describe encryption of an entire XML document without
introducing another special case.  In the document case, the collection
of sibling XML Nodes to be encrypted/decrypted may include processing
instructions, comments, namespace declarations, etc. in addition to the
root Xml Element.

Regards,
Blair Dillaway
Microsoft Corp.
Received on Tuesday, 8 May 2001 04:23:27 UTC