Subtree encryption (element wise) is a good and straight-forward solution for XML Encryption
and it will fit into most situations. The encrypted entity can be transferred to
the client without a need for an additional encryption on the transport layer (like SSL).
The XML entities can be stored encrypted on the (potentially insecure and vulnerable)
web server. The decisions about access rights to different portions of the document can
be made by the document creator and be immediately applied to the XML document.
Encryption has to be applied to each document individually, but in analogy to extensible
stylesheet transformations (XLST), it should be possible to apply an “encryption
policy stylesheet” to a XML document which allows an automatic encryption process
based on a defined policy.
SERVER-SIDE ACCESS CONTROL
In contrast to this model, server-side access control has much more flexibilty in the resulting
document, because the confidentiality transformation is not constrained to
complete subtrees. The pruning of sensitive or classified information prevents the requesting
client from accessing this information, but during the transfer to the client,
there is a need for an additional encryption on transport layer (like SSL). The access
control processor needs to be secure and trustworthy, because this centralised element
has access to the complete information base. A disadvantage is the need to make
AC decisions online.
The access rights for a specific document have to be added to the ACL (access control
list) database. An advantage of this model is the ability of applying a specific ACL to a
large class of documents (based on DTD/Schema).
Table 1: Comparison between the existing models (disadvantages are marked grey)
It could be nice to get the best from subtree encryption and server-side AC:
- allow unencrypted (visible) content within an encrypted subtree
- does not need a trustworthy online access control processor (only encryption, no online
- no need for additional encryption