santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cantor, Scott" <>
Subject Re: XML encryption: multiple files and multiple recipients
Date Sat, 13 Dec 2014 20:52:40 GMT
On 12/13/14, 5:17 PM, "Frank Cornelis" <> wrote:
>I'm trying to construct a generic encryption format based on OCF:
>Besides the need to encrypt multiple files (within the ZIP), I also want 
>to express multiple recipients. Each recipient has its own X509 
>Thus the same AES key is being encrypted towards multiple recipient 
>It's not 100% clear how to express this from the XML Encryption 

There are essentially many ways to do anything, and ultimately it depends 
on what code people are writing. It's easy to construct scenarios that 
you'll never get anybody to implement, and then there are better and worse 
ways to do things that make it slightly more likely they'll get it right.

>What I came up with so far is the structure as shown below.
>Is this the correct way to express what I'm looking for?

Not ideally, no.

>Not clear whether I should do this using multiple ds:RetrievalMethod 
>elements within the ds:KeyInfo.

No (and very few people implement RetrievalMethod or its 1.1 replacement).

The CarriedKeyName element is suggested to label EncryptedKeys and then a 
KeyName is inclued in the EncryptedData to reference it.

The SAML standard after some errata includes examples that include 

See the section 8 examples.

-- Scott

View raw message