W3C home > Mailing lists > Public > www-xkms@w3.org > December 2002

ws-security xkms use case extension

From: <Frederick.Hirsch@nokia.com>
Date: Thu, 19 Dec 2002 10:37:58 -0500
Message-ID: <E320A8529CF07E4C967ECC2F380B0CF901067FA0@bsebe001.americas.nokia.com>
To: <www-xkms@w3.org>

Is XKMS should be usable in the context of WS-Security? It should
be since WS-Security makes extensive use of keys and signatures, but not
depending fully on ds:KeyInfo.

Consider the case where you have an XML Signature in the
WS-Security SOAP header, and this signature has a ds:KeyInfo
containing a SecurityTokenReference element (defined in WS-Security).

This SecurityTokenReference element points to a binary security token,
also in the WS-Security header.

In this context, I might expect to use XKMS to validate the key 
(X.509 certificate) in the binary security token. for example.

Using XKMS I would expect to submit a validate request, containing two
items, the KeyInfo AND the binary security token. In addition, the request must indicate that this
is the security token case and the linkage.

Does this require any change to XKMS? 

Proposed use:

1. The ValidateRequest contains a QueryKeyBinding. This includes the ds:KeyInfo as part of the
QueryKeyBinding abstract type definition. QueryKeyBinding schema can be extended
to include a place for the binary security token (ExtendedQueryKeyBinding) and passed in the ValidateRequest.
Is this true?

2. How to specify this use case?
UseKeyWith Application = URI for WSSecurity/BinarySecurityToken
Identifier = wsse:KeyIdentifier or wsu:Id

This won't work since identifier is a string valued attribute. But it looks like the schema
is open allowing an extension of UseKeyWithType to allow an element content if so needed.

regards, Frederick
 
Frederick Hirsch
Nokia Mobile Phones
Received on Thursday, 19 December 2002 10:38:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:18 GMT