W3C home > Mailing lists > Public > www-xkms@w3.org > November 2002

RE: XKMS and WS-Security

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Wed, 27 Nov 2002 19:16:38 -0800
Message-ID: <CE541259607DE94CA2A23816FB49F4A34D600A@vhqpostal6.verisign.com>
To: Frederick.Hirsch@nokia.com, www-xkms@w3.org
No, doing that would require that XKMS included the WSSE schema
which is not yet finished.

There are two ways that we could go forward, one would be to put back 
the original any - which has problems (to say the least!) The other
would
be to define an extended form of KeyBinding that allowed a security
token
to be included.

We should probaly consider this case carefully. I am not conviced that 
security reference is the way forward. I would prefer to index the 
objects that security reference can index, or more likely specify
them directly.

We should at any rate work out a mechanism that allows us to add
an element into a key binding without having to rely on any or require
us to redefine each of the derrived key binding types.

I am somewhat unconvinced as to the applicability of the XKMS 
messages to non-PKI security tokens. Kerberos tickets are closely 
bound to the idea of key exchange (see my work on XKASS). Anything like
a SAML token is at a layer where one would expect the management
protocol to be able to rely on a PKI for authentication the lack
of which (bootstrap problem) is a major constraint on XKRSS.

		Phill

> -----Original Message-----
> From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com]
> Sent: Wednesday, November 27, 2002 3:14 PM
> To: www-xkms@w3.org
> Subject: XKMS and WS-Security
> 
> 
> 
> I have a question regarding the use of XKMS
> in conjunction with WS-Security.
> 
> I'm thinking that a WS-Security endpoint might wish to use an XKMS
> server to validate an X.509 security token. This could be a 
> BinarySecurityToken with ValueType wsse:X509v3 for example. Since 
> WS-Security recommends the use of such tokens instead
> of KeyInfo, to make use of XKMS I would expect to pass in 
> such a token 
> to the XKMS server.
> 
> Is that a reasonable use case? Is the alternative to 
> transform the token 
> into the appropriate KeyInfo structure?
> 
> If it makes sense to pass a token directly to the XKMS 
> server, would it 
> make sense to add an optional element to the 
> KeyBindingAbstractType to 
> allow a WS-Security token to be passed to the XKMS server in a 
> QueryKeyBinding?
> 
> Should we make the KeyBindingAbstractType
> 
> <sequence>
>     <choice
>        <element ref="xkms:KeyInfo" minOccurs="0"/>
>        <element ref="wsse:BinarySecurityToken" minOccurs="0"/>
>     </choice>
>     <element KeyUsage" minOccurs="0" maxOccurs="3"/>
>     <element UseKeyWith" minOccurs="0" maxOccurs="unbounded"/>
>     <element ref="xkms:PolicyIdentifier" minOccurs="0
>         maxOccurs="unbounded"/>
> </sequence>
> 
> with text to indicate that the ValueType is restricted to 
> types the XKMS 
> server is prepared to process?
> 
> regards, Frederick
>  
> Frederick Hirsch
> Nokia Mobile Phones
> 
> 

Received on Wednesday, 27 November 2002 22:16:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:18 GMT