Firewall Wizards mailing list archives

RE: XML tag encryption?

From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Wed, 5 Jun 2002 15:14:39 -0500



I'm figuring that just about 95% of the software engineers out
there, if they were going to embed a credit card number would do
exactly that!! Maybe they'd use a syntax more like:
<ccno type=amex>3744 342298 98000</ccno>

RS> Yes we have seen this numerous times, and the tendency to use technology
like SSL just encourages the use.


Joking aside, the solution we're talking about is just another
boundary data-processor. It could just as easily be an awk
script that strips out <ccno> tags, or a fancier script that
shoves them through pgp. The value of this "solution" if it
has any is in the integration it offers the customer. The
market will tell.

RS> Forgive me if I am wrong, but I can see a market for encrypting tags by
themselves.  If the raw data is confidential and one needs to integrate
feeds between a  certain entity, then data encryption at the XML level
should work.  I am sure that is why the XML security extensions are being
designed for.  Hence a client requests a resource from a server.  It's an
XML feed of data containing a credit card number.  It such as case:

<ccno type=visa>xY53jS95hfn@[s+ws2#4jths</ccno>

The client would send this data to a payment processor that would have the
ability to decrypt this value.  So in affect the data is passing through the
client, even though the client can't decrypt the data...... (it doesn't need
to)

The algorithms etc are embedded in DTD's or something, .... I forget
exactly, but you the java.sun site has information on this.

I think encrypted the tags is akin to encrypting the database column names.

But then again, I may have lost the plot.

Cheers
R/




Richard Scott
INFORMATION SECURITY
Tel: (001) -952-324-0697
Fax: (001) -952-996-4830
Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

The views expressed in this email do not represent Best Buy
or any of its subsidiaries



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

XML tag encryption? Roger Marquis (Jun 01)
- Re: XML tag encryption? Darren Reed (Jun 05)
- <Possible follow-ups>
- RE: XML tag encryption? Scott, Richard (Jun 04)
- Re: XML tag encryption? Rama Kant (Jun 04)
  - Re: XML tag encryption? Marcus J. Ranum (Jun 05)
  - Message not available
    - Message not available
    - Message not available
    - Re: XML tag encryption? Rama Kant (Jun 05)
- Re: XML tag encryption? Steven M. Bellovin (Jun 05)
  - Re: XML tag encryption? Eric Rescorla (Jun 07)
- Re: XML tag encryption? miha (Jun 07)
- RE: XML tag encryption? Scott, Richard (Jun 07)