Re: draft-reagle-xenc-mediatype-01.txt from Joseph Reagle on 2002-08-19 (xml-encryption@w3.org from August 2002)

From: Joseph Reagle <reagle@w3.org>
Date: Mon, 19 Aug 2002 15:58:25 -0400
To: "Larry Masinter" <LMM@acm.org>, <ned.freed@mrochek.com>, "'Martin Duerst'" <duerst@w3.org>
Cc: <w3c-policy@apps.ietf.org>, <ietf-types@iana.org>, <ietf-xml-mime@imc.org>, "'XML Encryption'" <xml-encryption@w3.org>
Message-Id: <200208191558.25306.reagle@w3.org>

[Resulting text:
  http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/
  $Revision: 1.237 $ on $Date: 2002/08/19 19:57:54 $ GMT
]

On Thursday 08 August 2002 06:07 pm, Larry Masinter wrote:
> I'm a little concerned about allowing arbitrary charset
> values for the entire application/xml+enc body, though,
> when any encrypted data are always UTF-8 encoded.

The encrypted data are always UTF-8 encoded when the data being encrypted is 
XML, but may not be for other media type. Additionally, this doesn't apply 
to the EncryptedData XML document itself (e.g., the KeyName example given 
by Martin). We have no additional constraints on an EncryptedData or 
EncryptedKey instance. It's generic XML.

> Again, I would prefer if the reference were more explicit
> about exactly was 'the same'.

This bit now reads, "Published specification:  [XML-Encryption] " (It's kind 
of a odd for a spec to have references to itself, but so be it...)

> You might even note that because
> encrypted data is encoded in base64 that encrypted data
> may have different encoding requirements than the data
> it replaces.

Yep, that's why the introduction says, "Additionally it allows applications 
cognizant of this media-type (even if they are not XML Encryption 
implementations) to note that the media type of the decrypted (original) 
object might be a type other than XML." (Maybe this doesn't belong in the 
introduction, but I'm not sure of a better place?)

> > references [2] in the same way I have done. I haven't been able to
> > find any example of a  "MIME type threat analysis".
>
> Encrypted content may be unsafe content.

Can you point me to any other registration that uses similar text I can 
borrow? (Instead of crafting green text myself). Until then, I've added a 
section 6.5:

[[
 6.5 Unsafe Content
XML Encryption can be used to obscure, via encryption, content that 
applications (e.g., firewalls, virus detectors, etc.) consider unsafe 
(e.g., executable code, viruses, etc.). Consequently, such applications 
must consider encrypted content to be as unsafe as the unsafest content 
transported in its application context. Consequently, such applications may 
choose to (1) disallow such content, (2) require access to the decrypted 
form for inspection, or (3) ensure that arbitrary content can be safely 
handled by receiving applications.
]]

> I think you might just put it inline:
>
>   Published specification:
>        This document. The application/xenc+xml media type
>        may be used with XML documents in which the EncryptedData
>        and EncryptedKey element types, in the XML Encryption
>        namespace, appear as the root element of the XML document.

There was text like this in the "magic number" section which is now further 
augmented.

Received on Monday, 19 August 2002 15:59:07 UTC