- From: <noah_mendelsohn@us.ibm.com>
- Date: Wed, 20 Feb 2002 10:43:09 -0500
- To: david.orchard@bea.com
- Cc: reagle@w3.org, "'www-xenc-xmlp-tf'" <www-xenc-xmlp-tf@w3.org>, "'xml-dist-app'" <xml-dist-app@w3.org>, "'xml-encryption'" <xml-encryption@w3.org>
David Orchard writes: >> Imagine I took a SOAP document and encrypted a big chunk of it,ie: >> <soap:envelope> >> <xenc:encrypteddata>...</xenc:encrypteddata> >> </soap:envelope>. >> Again, this is not changing the SOAP spec in any way. I beg to differ. The envelope you show is assuredly not legal SOAP. I would recommend against anyone using this idiom. There are of course an unbounded number of ways that one might consider sending a message that conveys: "I'll tell you that this is a SOAP envelope, but the contents of this entire envelope are encrypted." I think that's what the above is trying to convey. I suggest that the example above is not a particularly good use of XML, Namespaces (it violates the definition of soap:envelope) or SOAP (it's surely illegal SOAP.) SOAP provides mechanisms which are reasonably carefully crafted to achieve what you want, in a much more controlled and namespace-compatible manner. I suggest we focus on those, and design MIME types accordingly. Thank you! ------------------------------------------------------------------ Noah Mendelsohn Voice: 1-617-693-4036 IBM Corporation Fax: 1-617-693-8676 One Rogers Street Cambridge, MA 02142 ------------------------------------------------------------------ "David Orchard" <david.orchard@bea.com> 02/20/2002 12:38 AM To: <reagle@w3.org>, Noah Mendelsohn/Cambridge/IBM@Lotus cc: "'www-xenc-xmlp-tf'" <www-xenc-xmlp-tf@w3.org>, "'xml-dist-app'" <xml-dist-app@w3.org>, "'xml-encryption'" <xml-encryption@w3.org> Subject: RE: XMLP/XMLE Use cases and processing models Joseph, I'm not suggesting that XMLE try to automatically make pre-existing applications XML Encryption aware. I don't follow how you get that extraordinary claim. I'm suggesting that documents have content-type of application/xenc+xml for documents containing XMLE where XMLE decryption MUST be done to interpret the contents according to the namespace names within. Imagine I took a SOAP document and encrypted a big chunk of it,ie <soap:envelope><xenc:encrypteddata>...</xenc:encrypteddata></soap:envelope>. The SOAP processor knows nothing about the soap document as encryption happened "afterwards". When such a document was sent, decryption would be required first. After decryption, then a SOAP processor would know what to do with it. While this particular document is encrypted, it is NOT a SOAP document as per the soap namespace name nor media type. Making such a document have a media-type of application/xenc+xml ensures that the document can be dispatched to the correct piece of software, which you can't do if it has media-type application/soap. Again, this is not changing the SOAP spec in any way. Cheers, Dave > -----Original Message----- > From: Joseph Reagle [mailto:reagle@w3.org] > Sent: Tuesday, February 19, 2002 10:43 AM > To: noah_mendelsohn@us.ibm.com; david.orchard@bea.com > Cc: 'www-xenc-xmlp-tf'; 'xml-dist-app'; 'xml-encryption' > Subject: Re: XMLP/XMLE Use cases and processing models > > > > Exactly. Applications which use to use XML Encryption or > otherwise expect > to have elements from other namespaces need to be savvy about > what they > want to do (e.g., encrypt the content of a SOAP:Header) and > how they want > to do it (e.g., write a flexible, create a new namespace ,etc.) > Applications that haven't done this might have to take some > other steps > which won't as easy and straightforward but it's their call. > There's no > solution that automatically makes all pre-existing XML > applications XML > encryption aware or capable in every possible scenario -- > like encryption > the SOAP header itself. > > On Monday 18 February 2002 20:21, noah_mendelsohn@us.ibm.com wrote: > > which is indeed not valid SOAP, suggesting the need for a > new media type. > > But... that's not how you would use SOAP IMO. I suggest instead: > > > > <SOAP:Envelope xmlns:soap="..." > > > <SOAP:Header> > > <xenc:EncryptedData xmlns:xenc="..." > > SOAP:mustUnderstand="true" > > SOAP:role="decryptingIntermediary"> > > ... > > </xenc:EncryptedData> > > </SOAP:Header> > > <SOAP:Body> > > ...leave empty or put dummy element here > > ...if you don't want unencrypted data > > </SOAP:Envelope> > > -- > > Joseph Reagle Jr. http://www.w3.org/People/Reagle/ > W3C Policy Analyst mailto:reagle@w3.org > IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/ > W3C XML Encryption Chair http://www.w3.org/Encryption/2001/ >
Received on Wednesday, 20 February 2002 10:57:00 UTC