Changes in XML Encryption Syntax and Processing (1.1 Editors Draft)

Frederick Hirsch <>
Magnus Nyström <>
$Date: 2010/03/15 16:45:40 $

Status of this Document

This document summarizes the changes that the XML Security Working Group has made to the XML Encryption Syntax and Processing Specification in preparing a proposed 1.1.

Discussion of Changes

General Changes

Updated to use ReSpec.js

Cover page

Updated to Version 1.1, updated date and version links. Updated editor information to add Magnus Nyström and Kelvin Yiu as editors.

Status of this document

Updated to reflect status of 1.1 version.

Table of Contents

Add subsections to section 3.5 for key derivation.

Add subsections to section 5 for algorithm subsections.

Split Section 10, References, into Normative and Informative reference subsections.

Section 1.4 Acknowledgements

Update to Acknowledgements

3.1 The EncryptedType Element

Fixed typo, "descendants"

3.1.1 The CipherReference Element

Clarified that the syntax of URI and Transforms is defined in XML Signature.

3.5.1 The EncryptedKey Element

Fixed typos, "inherited", "unambiguous"

3.5.2 The DerivedKey element

Added new subsection describing this new ds:KeyInfo child.

Added the following:

Section 3.7 The EncryptionProperties element

Added section for EncryptionProperties Element identifier.

4. Processing Rules

Refactored 4.1-4.4 to clarify what parts of the processing model are normative and what aren't; adding Type parameter for EXI; adding processing for EXI.

5.1 Algorithm Identifiers and Implementation Requirements

Added text regarding consensus issues on mandatory to implement algorithms

Added AES-128|192|256-pad key wrap mechanisms as OPTIONAL.


Changed SHA-256 to REQUIRED

Added SHA-384 as OPTIONAL

Added Canonical XML 1.1 (omit comments) as OPTIONAL

Added Canonical XML 1.1 with comments as OPTIONAL

Removed Message Authentication (not normative)

Added key derivation algorithms, ConcatKDF as REQUIRED, PBKDF2 as OPTIONAL.

Added Key Agreements, Diffie-Hellman Key Agreement (Ephemeral-Static mode) with Legacy Key Derivation Function and explicit Key Derivation Functions as Optional, and Elliptic Curve Diffie-Hellman (Ephemeral-Static mode) as REQUIRED,

Fixed typo, "refer"

5.4 Key Derivation

New section added defining two key derivation algorithms, ConcatKDF and PBKDF2.

5.5.1 RSA Version 1.5

Updated RFC 2437 to RFC 3447. Adjusted section reference appropriately.

Added CipherValue to CipherData example.

5.5.2 RSA-OAEP

Updated RFC 2437 to RFC 3447. Adjusted section references appropriately.

5.6 Key Agreement

Added paragraph on declaration of Key derivation algorithms using xenc11:KeyDerivationMethod using the xenc:AgreementMethodType.

Updated example to include KeyDerivationMethod.

5.6.2 Diffie-Hellman Key Agreement

Moved identifier from this section to new section on legacy KDF, section

Modified discussion to include use of KDF to produce secret key using explicit or legacy KDFs.

Clarified implementation requirements. Diffie-Hellman Key Agreement with explicit Key Derivation Functions

New section describing explicit key deriviation functions. Diffie-Hellman Key Agreement with Legacy Key Derivation Function

New section containing identifier and original material for KDF described in previous version of XML Encryption. Clarified implementation requirement.

5.6.3 Elliptic Curve Diffie-Hellman (ECDH) Key Values

New section defining ECDH key value URI and use.

5.6.4 Elliptic Curve Diffie-Hellman (ECDH) Key Agreement (Ephemeral-Static Mode)

New section defining ECDH-ES key agreement algorithm URI and use.

5.7 Symmetric Key Wrap

Revised introduction paragraph and description for clarity.

Removed Section 5.6.1 - Checksums - as it was not required after making the change to 5.6.2 and 5.6.3 (see below).

Removed detailed, step-by-step description of Triple-DES key wrap from (what used to be) 5.6.2, replaced with reference to IETF RFC 3217.

Removed detailed, step-by-step description of AES key wrap from (what used to be) 5.6.3, replaced with reference to RFC 3397.

Section 5.7.3: Changed reference from DRAFT-HOUSLEY-KW-PAD to AES-WRAP-PAD to match changed tag associated with RFC publication.

5.8 Message Digest

Added text to explain reason for discouraging use of SHA-1.

5.8.1 SHA1

Removed REQUIRED for SHA1.

5.8.2 SHA256


5.8.3 SHA384

Added new section for SHA384.

Message Authentication (section 5.8 in previous version of XML Encryption)

Section deleted as per resolution on WG call 200900602.

5.9.1 Inclusive Canonicalization

Added XML Canonicalization 1.1 (both omitting and with comments)

6.3 Nonce and IV (Initialization Value or Vector)

Fixed typos, "initialization", "resistance"

Schema and Valid Examples

Fixed typo, "exercises"

Added XML Encryption 1.1 XSD Schema instance

Removed "Examples" from section title.

10 References

Split references section into normative and informative sections.

Added links for references

Updated SHA reference to FIPS-186-3

Updated XML Signature reference to XML Signature 1.1

Updated Glossary RFC 2828 to RFC 4949

Added Media Types RFC 3023 update to MIME-REG RFC 2048 reference

Updated UTF-8 RFC 2279 to RFC 3629

Updated URI RFC 3406 to RFC 3986

Updated X509v3 from ISO/IEC 9594-8:1997 to 9594-8:2001, added link

Updated RFC 1750 to RFC 4086

Updated RFC 2396 to RFC 3986

Updated RFC 2437 to RFC 3447

Updated Reference for FIPS-186-3 to reflect final publication.

Added reference to recent work on SHA-1 analysis (to be changed once paper appears on

Updated the following references to reflect final publication: AES-WRAP, SHA, XML-DSIG, XMLDSIG11, Glossary, MIME-REG, and UTF-8.

Replaced reference DRAFT-HOUSLEY-KW-PAD with AES-WRAP-PAD now that the reference has been published as RFC 5649.

Added web link for ANSI X9.52.

Removed the old XML Signature reference, retaining only reference for Signature 1.1, naming it XML-DSIG.

Added informative reference to ANSI X9.44-2007.

Reformatted and sorted by using ReSpec.js bibliography tool (updated common bibliography)