W3C home > Mailing lists > Public > www-xkms@w3.org > November 2002

XKMS and WS-Security

From: <Frederick.Hirsch@nokia.com>
Date: Wed, 27 Nov 2002 15:13:39 -0500
Message-ID: <E320A8529CF07E4C967ECC2F380B0CF90106753B@bsebe001.americas.nokia.com>
To: <www-xkms@w3.org>

I have a question regarding the use of XKMS
in conjunction with WS-Security.

I'm thinking that a WS-Security endpoint might wish to use an XKMS
server to validate an X.509 security token. This could be a 
BinarySecurityToken with ValueType wsse:X509v3 for example. Since 
WS-Security recommends the use of such tokens instead
of KeyInfo, to make use of XKMS I would expect to pass in such a token 
to the XKMS server.

Is that a reasonable use case? Is the alternative to transform the token 
into the appropriate KeyInfo structure?

If it makes sense to pass a token directly to the XKMS server, would it 
make sense to add an optional element to the KeyBindingAbstractType to 
allow a WS-Security token to be passed to the XKMS server in a 
QueryKeyBinding?

Should we make the KeyBindingAbstractType

<sequence>
    <choice
       <element ref="xkms:KeyInfo" minOccurs="0"/>
       <element ref="wsse:BinarySecurityToken" minOccurs="0"/>
    </choice>
    <element KeyUsage" minOccurs="0" maxOccurs="3"/>
    <element UseKeyWith" minOccurs="0" maxOccurs="unbounded"/>
    <element ref="xkms:PolicyIdentifier" minOccurs="0
        maxOccurs="unbounded"/>
</sequence>

with text to indicate that the ValueType is restricted to types the XKMS 
server is prepared to process?

regards, Frederick
 
Frederick Hirsch
Nokia Mobile Phones
Received on Wednesday, 27 November 2002 15:14:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:18 GMT