- From: Joseph Reagle <reagle@w3.org>
- Date: Wed, 26 Sep 2001 19:25:42 -0400
- To: "XML Encryption WG" <xml-encryption@w3.org>
Please respond to the list by close of Friday the 28th.
In [1], I summarize the requirement to partially reveal/decrypt and confirm
the authenticity/integrity of elements without necessarily revealing other
elements encrypted at the same time -- and how to achieve this using
xmldsig. Do you prefer:
1. Remove the Digest{Method,Value} and specify how similar functionality
can be accomplished using an XML Signature manifest as described in [1].
This is a bit more clean with respect to keeping xmldsig and xenc distinct
(we'd have no special syntax or processing specified in xenc), but requires
slightly more complex specification none-the-less (of how to use xmldsig)
to satisfy the requirement.
2. Retain the Digest{Method,Value} as presently specified. This introduces
additional processing into the Encryption spec for integrity purposes that
could be done by XML Signature, but it's a little more straightforward.
This option also satisfies Amir's requirement of being able to change the
Encryption algorithm without invalidating a signature of the plain data and
digests *if* a transform is used to remove the actual Encryption Info
(algorithm, key and value) prior to a signature. However, this requires an
actual transform to be written. If you opt for #2, should we:
A. Let applications specify the transform.
B. Specify/standardize the transform.
[1]
http://lists.w3.org/Archives/Public/xml-encryption/2001Sep/att-0021/01-digest.html
Received on Wednesday, 26 September 2001 19:26:17 UTC