Re: Decryption Transform processing question

>Takeshi answered my question off-list (I'd misread the example in Appendix
>A) -- thanks.

Sorry, I forgot to cc to the list my answer, which is as follows:

> >2. Decrypt the element corresponding to e (which may require parsing)
> >and replace it with the resulting octet stream according to the XML
> >Encryption specification [XML-Encryption].
> >
> ><AK> Parse the canonicalized node-set into a new document, locate e
> >(EncryptedData with Id="enc2") and perform a decrypt-and-replace
> >as defined in [2] Section 4.2 Decryption step 5. But do we really want
> >replace the EncryptedData element with the decrypted data before we've
> >the wrapping/parsing/unwrapping operation? </AK>
>Sorry, I don't understand your question.  Why do you think we should not
>replace the element before the operation?
> >3. Wrap the decrypted octet stream in the context of C as specified in
> >Text Wrapping (Appendix A).
> >
> ><AK> From the example in [1] Appendix A, it's clear that it is only the
> >decrypted octets being wrapped, not the octets of the document obtained
> >the end of step 2 above. For the [1] Section 4 example, this is just the
> >octets of the 'cardinfo' element. </AK>
>No.  In Appendix A, it is assumed that the input to the transform is an
>EncryptedData element, so only the decrypted octets are wrapped.  In
>Section 4, the input is the 'order' element, so the element, which
>the decrypted 'cardinfo' element, is wrapped.

>However, I have another question: What is the intended purpose of step 1
>(same as below) in the decryptOctets(X, e) function? Since e will not be
>replaced with the result of the decryption, serializing X doesn't really
>seem necessary....

This is just because of symmetry with decryptXML(), but as you noted,
serialization may not be necessary.

By the way, as to decryptXML(), it may be necessary to exchange step 2 and
3 because an octet stream obtained in step 1 may not contain any namespace
declaration attribute necessary for parsing the octet stream when
decrypting an EncrypteData element within the octet stream.  How do you

Tokyo Research Laboratory
IBM Research

Received on Friday, 26 April 2002 03:24:42 UTC