W3C home > Mailing lists > Public > xml-encryption@w3.org > May 2002

Re: Decryption Transform processing question

From: Ari Kermaier <arik@phaos.com>
Date: Thu, 02 May 2002 13:56:35 -0400
Message-Id: <>
To: merlin <merlin@baltimore.ie>
Cc: xml-encryption@w3.org

>My problem with iteration is:
>   <Foo Id="foo">
>     <EncryptedData>
>   <!-- what was formerly
>       <Bar>
>       <EncryptedData Id="enc-1" />
>       <EncryptedData Id="enc-2" /> -->
>     </EncryptedData>
>   </Foo>
>I can't run this through:
>   Signature URI="#foo"
>     Decrypt-Transform Except="#enc-2"
>During round 1, we get back a new node set with the original
>pair of EncryptedData, but the URI #enc-2 will no longer resolve
>because round 2 is processing a different document. So,
>suggesting that this transform can handle multiple encryption
>will only mislead people without a warning that Except elements
>won't work for multiply-encrypted data. Somewhat more to the
>point; because our Except references will no longer apply to
>the new document, round 2 will try and decrypt every
>EncryptedData that was excepted from round 1.

I don't understand -- why wouldn't URI="#enc-2" resolve? The spec states in 
the last paragraph of section 2.1,

         [...] When dereferencing dcrpt:Except URIs, the application
         MUST behave as if the root document node of the input node
         set isused to initialize the [XPointer] evaluation context, even
         if this node is not part of the node set. Unlike [XML-Signature],
         the URI may be evaluated against a different document from
         the signature document."

In round 2 we re-initialize the evaluation context to the root document 
node for X, regardless of the consideration that X may be a node-set over a 
new document.

Ari Kermaier    arik@phaos.com
Senior Software Engineer
Phaos Technology Corp.    http://www.phaos.com/
Received on Thursday, 2 May 2002 13:53:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:13:09 UTC