Re: Decryption Transform processing question from Takeshi Imamura on 2002-05-02 (xml-encryption@w3.org from May 2002)

From: Takeshi Imamura <IMAMU@jp.ibm.com>
Date: Thu, 2 May 2002 16:03:30 +0900
To: Ari Kermaier <arik@phaos.com>
Cc: "Hiroshi Maruyama" <MARUYAMA@jp.ibm.com>, merlin <merlin@baltimore.ie>, reagle@w3.org, xml-encryption@w3.org
Message-ID: <OFA4815F3F.29A17614-ON49256BAD.00206EC3@LocalDomain>

>I thought that XPath caveat was weird as well,

I don't think that it is weird.  If we define the processing rules over
node-sets, we replace some nodes in a node-set with ones in the other
node-set.  It looks easy, but is not possible because, according to the
XPath spec, a node-set is defined as a set of nodes in a document tree.
That is, it is because the relation between node-sets from distinct
document trees is not defined.  So we defined the processing rules over
octet streams.  Does this make sense?

>but I believe the confusion
>on wrapping is really just an infelicity of the language in the text. When
>it says "wrap the decrypted octet stream" I think it really means "wrap
the
>octet stream resulting from decrypting and replacing e in X". (See
>Takeshi's answer to my question in [1].)
>
>Under this reading, I think the following would hold for a signature over
>"#foo":
>
><Bar xmlns:baz="http://example.org/baz">
>  <Foo xml:something="other" Id="foo">
>    <enc:EncryptedData ...>...</enc:EncryptedData>
>  </Foo>
></Bar>
>
>Dereferencing, decrypting and replacing results in:
>
><Foo xml:something="other" Id="foo">
>  <plaintext />
></Foo>
>
>Since <Bar>'s namespace is in scope for the first element of the input
>node-set, <Foo>, parsing context C is {xmlns:baz="http://example.org/baz",
>xml:something="other"}.

Sorry for confusing you.  The text defining the parsing context should be
tweaked.  In this case, C is {xmlns:baz="http://example.org/baz"}.  Please
consider the meaning of the word "parsing context".

>So the result of wrapping would be:
>
><dummy xmlns:baz="http://example.org/baz" xml:something="other"><Foo
>xml:something="other" Id="foo">
><plaintext />
></Foo></dummy>

The result would be:

<dummy xmlns:baz="http://example.org/baz"><Foo xml:something="other" Id
="foo">
  <plaintext />
</Foo></dummy>

>Parsing, unwrapping and canonicalizing would result in:
>
><Foo xmlns:baz="http://example.org/baz" xml:something="other" Id="foo">
>  <plaintext />
></Foo>
>
>If this is correct, my proposed text in [2] for decryptXML(X, e, C) and
>decryptOctets(X, e) would be OK. Am I missing anything?

Thanks,
Takeshi IMAMURA
Tokyo Research Laboratory
IBM Research
imamu@jp.ibm.com

Received on Thursday, 2 May 2002 03:03:41 UTC