Issue 84 - Use of Decryption Transform

["Hal Lockhart" <hlockhar@bea.com>]

I believe the summary of this issue given at the last meeting was inaccurate or at least confusing. It has been dormant so long, I had forgotten what it was about. Here is what I believe the situation is.

The decryption transform was invented to allow the xml signature and xml encryption specifications to be combined, when not using a scheme like WSS to specify the order of overlapping operations. The decryption transform essentially says to the receiver, before you check this signature you must decrypt the data and thus verify the signature over the cleartext.

My position for some time has been that the order of encryption and signature elements in the security header can specify any ordering that the decryption transform can, so it is unneeded in WSS. As a general principle, I oppose having two ways to do exactly the same thing. 

(Note, this prohibition only applies to signatures in the security header. Applications can include signatures which specify the decryption transform in the body. WSS will neither prohibit or process these.)

When this was last discussed, Tony claimed there was a usecase in which the decryption transform was required. I have been waiting to see that usecase. If there is one, I will be happy to agree to allowing the use of the decryption transform. Last week I spoke to Mike McIntosh privately and he indicated that he intends to describe the usecase.

In any event, I do not believe this is my action item.

Hal