Now there is a way around dropping application/pgp in favour of bare cipher text, as I hinted at earlier. Instead of encrypting a symmetric key in the ACL file, you could also encrypt a private key from a key pair. If that key pair is used to represent a group of people, you can use it’s public key to produce the application/pgp encrypted data, without any modifications.
The only danger lies in then using this key pair for multiple documents — don’t! It would rob you of the ability to safely update one encrypted document without also updating all others. Remember, if the document revision changes, you should regenerate the key used to encrypt it in order to prevent people who had access to prior revisions to automatically have access to all future revisions as well.
In that sense, it was somewhat misleading when I said the key pair is used to represent a group of people. It isn’t, and shouldn’t be seen that way. It’s really representative of the fact that you want to grant a specific group of people access to a specific revision of a document. That goes somewhat against the grain of PGP use, where a key pair represents identity, so be warned!
So there you have it — a scheme by which you can encrypt parts of an XML document, grant fine-grained control over who gets to see the encrypted data, and optionally simplify processing by using external references rather than embedding information.
And it can be applied to FOAF. There are some changes to FOAF that suggest themselves once you want to selectively encrypt parts of a FOAF file, but that’s not going to be covered here. This post has been long enough already.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_c.png?x-id=c7871dc7-a3e3-4347-9d3c-3c4488e52827)
![[FSF Associate Member]](/images/fsf_4971.png){kind=small}
![[frdm] Support SFLC](/images/support-sflc.png "Software Freedom Law Center"){kind=small}
