- From: Amir Herzberg <AMIR@newgenpay.com>
- Date: Mon, 24 Sep 2001 12:32:49 +0200
- To: "XML Encryption WG" <xml-encryption@w3.org>
On September 18, 2001 12:06, Joseph Reagle wrote: > On Sunday 16 September 2001 11:23, Amir Herzberg wrote: > > I think Joe's scenario would work. Few comments: > > > > 1. Don't we need to copy the ID's to the EncryptedData tags for the > > references to work, e.g.: > > > > <AlphabetiSphagetti> > > <A id="a"/> > > <EncryptedData id="b" xmlns='http://www.w3.org/2001/04/xmlenc#' > > Type='http://www.w3.org/2001/04/xmlenc#Element'> > > <CipherData> > > .... > > For the references to work to what end? For the Signature > Transform [1], or something else? > [1] http://www.w3.org/Encryption/2001/Drafts/xmlenc-decrypt No, simply for the reference you've put in the manifest to be valid, e.g.: <Reference URI="foo.xml#b"> Without putting the `id="b"` in the EncryptedData I think this reference won't identify this element. > > > 2. What if we want the signature to also include a regular (mandatory, > > not Manifest) SignedInfo for parts of the document which are never > > encrypted? <skip> > Are you familiar with [1]? > [1] http://www.w3.org/Encryption/2001/Drafts/xmlenc-decrypt Familiar, but forgot about it when I wrote, sorry... Sure, this ([1]) can be used to sign the document with non-encrypted parts and use the ciphertext for the encrypted parts. However, this does not allow to change the encryption (e.g. to another key) or remove it, which was one of my goals (and a pretty natural one). For this I still think that we must either use DigestValue in the EncryptedData, and a transform to sign only the DigestValue, or a transform to remove the entire EncryptedData and sign it only via Manifest as you suggested. Best, Amir Herzberg
Received on Monday, 24 September 2001 06:35:00 UTC