Re: Decryption Transform processing question from Takeshi Imamura on 2002-04-26 (xml-encryption@w3.org from April 2002)

From: Takeshi Imamura <IMAMU@jp.ibm.com>
Date: Fri, 26 Apr 2002 16:24:37 +0900
To: Ari Kermaier <arik@phaos.com>
Cc: xml-encryption@w3.org
Message-ID: <OF7142301A.790B1A23-ON49256BA7.0024FBC2@LocalDomain>

>Takeshi answered my question off-list (I'd misread the example in Appendix
>A) -- thanks.

Sorry, I forgot to cc to the list my answer, which is as follows:

> >2. Decrypt the element corresponding to e (which may require parsing)
> >and replace it with the resulting octet stream according to the XML
> >Encryption specification [XML-Encryption].
> >
> ><AK> Parse the canonicalized node-set into a new document, locate e
> >(EncryptedData with Id="enc2") and perform a decrypt-and-replace
procedure
> >as defined in [2] Section 4.2 Decryption step 5. But do we really want
to
> >replace the EncryptedData element with the decrypted data before we've
>done
> >the wrapping/parsing/unwrapping operation? </AK>
>
>Sorry, I don't understand your question.  Why do you think we should not
>replace the element before the operation?
>
> >3. Wrap the decrypted octet stream in the context of C as specified in
> >Text Wrapping (Appendix A).
> >
> ><AK> From the example in [1] Appendix A, it's clear that it is only the
> >decrypted octets being wrapped, not the octets of the document obtained
at
> >the end of step 2 above. For the [1] Section 4 example, this is just the
> >octets of the 'cardinfo' element. </AK>
>
>No.  In Appendix A, it is assumed that the input to the transform is an
>EncryptedData element, so only the decrypted octets are wrapped.  In
>Section 4, the input is the 'order' element, so the element, which
contains
>the decrypted 'cardinfo' element, is wrapped.

>However, I have another question: What is the intended purpose of step 1
>(same as below) in the decryptOctets(X, e) function? Since e will not be
>replaced with the result of the decryption, serializing X doesn't really
>seem necessary....

This is just because of symmetry with decryptXML(), but as you noted,
serialization may not be necessary.

By the way, as to decryptXML(), it may be necessary to exchange step 2 and
3 because an octet stream obtained in step 1 may not contain any namespace
declaration attribute necessary for parsing the octet stream when
decrypting an EncrypteData element within the octet stream.  How do you
feel?

Thanks,
Takeshi IMAMURA
Tokyo Research Laboratory
IBM Research
imamu@jp.ibm.com

Received on Friday, 26 April 2002 03:24:42 UTC