CipherReference identifies a source which, when processed,
yields the encrypted octet sequence.
The actual value is obtained as follows. The CipherReference URI
contains an identifier that is dereferenced. Should the
CipherReference element contain an OPTIONAL sequence of
Transforms, the data resulting from dereferencing the URI is
transformed as specified so as to yield the intended cipher value. For
example, if the value is base64 encoded within an XML document; the
transforms could specify an XPath expression followed by a base64 decoding so
as to extract the octets.
The syntax of the URI and Transforms is similar to that of
[XML-DSIG]. However, there is a difference between signature and encryption
processing. In [XML-DSIG] both generation and validation processing start
with the same source data and perform that transform in the same order. In
encryption, the decryptor has only the cipher data and the specified
transforms are enumerated for the decryptor, in the order necessary to obtain
the octets. Consequently, because it has different semantics Transforms is in
the &xenc; namespace.
The schema definition is as follows:
<![CDATA[
<element name='CipherReference' type='xenc:CipherReferenceType'/>
<complexType name='CipherReferenceType'>
<sequence>
<element name='Transforms' type='xenc:TransformsType' minOccurs='0'/>
</sequence>
<attribute name='URI' type='anyURI' use='required'/>
</complexType>
]]> |
