RE: Minor comments on Section 4

Blair wrote

>we're ambiguous in Step 3.1 about who is responsible for
>serializing the data.

I don't think the text is ambiguous because all the steps starts out with
"the encryptor must:".  Hence all the steps are the Encryptor's responsibility
unless otherwise specified.  Unless there is a good reason otherwise, I
wouldn't want the application to have the handle the serialization of XML
Elements and Content.

On a related topic, for non-XML data where we require the application to
do the serialization (because the Encryptor can't do arbitrary serialization),
does it make sense to allow the application to provide a hint in <EncryptedData>
how the the serialization was done?  I'm thinking of the receiving end,
where the Decryptor want's to de-serialize the data and wants to know how
the serialization was done.


Ed Simon
XMLsec Inc.

Interested in XML Security Training and Consulting services?  Visit "".

Received on Wednesday, 19 September 2001 18:05:10 UTC