ietf-xml-mime
[Top] [All Lists]

Re: draft-reagle-xenc-mediatype-01.txt

2002-08-19 12:59:05

[Resulting text:
  http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/
  $Revision: 1.237 $ on $Date: 2002/08/19 19:57:54 $ GMT
]

On Thursday 08 August 2002 06:07 pm, Larry Masinter wrote:
I'm a little concerned about allowing arbitrary charset
values for the entire application/xml+enc body, though,
when any encrypted data are always UTF-8 encoded.

The encrypted data are always UTF-8 encoded when the data being encrypted is 
XML, but may not be for other media type. Additionally, this doesn't apply 
to the EncryptedData XML document itself (e.g., the KeyName example given 
by Martin). We have no additional constraints on an EncryptedData or 
EncryptedKey instance. It's generic XML.

Again, I would prefer if the reference were more explicit
about exactly was 'the same'.

This bit now reads, "Published specification:  [XML-Encryption] " (It's kind 
of a odd for a spec to have references to itself, but so be it...)

You might even note that because
encrypted data is encoded in base64 that encrypted data
may have different encoding requirements than the data
it replaces.

Yep, that's why the introduction says, "Additionally it allows applications 
cognizant of this media-type (even if they are not XML Encryption 
implementations) to note that the media type of the decrypted (original) 
object might be a type other than XML." (Maybe this doesn't belong in the 
introduction, but I'm not sure of a better place?)

references [2] in the same way I have done. I haven't been able to
find any example of a  "MIME type threat analysis".

Encrypted content may be unsafe content.

Can you point me to any other registration that uses similar text I can 
borrow? (Instead of crafting green text myself). Until then, I've added a 
section 6.5:

[[
 6.5 Unsafe Content
XML Encryption can be used to obscure, via encryption, content that 
applications (e.g., firewalls, virus detectors, etc.) consider unsafe 
(e.g., executable code, viruses, etc.). Consequently, such applications 
must consider encrypted content to be as unsafe as the unsafest content 
transported in its application context. Consequently, such applications may 
choose to (1) disallow such content, (2) require access to the decrypted 
form for inspection, or (3) ensure that arbitrary content can be safely 
handled by receiving applications.
]]

I think you might just put it inline:

  Published specification:
       This document. The application/xenc+xml media type
       may be used with XML documents in which the EncryptedData
       and EncryptedKey element types, in the XML Encryption
       namespace, appear as the root element of the XML document.

There was text like this in the "magic number" section which is now further 
augmented.