W3C home > Mailing lists > Public > www-xkms@w3.org > May 2007

Re: XKMS RegisterRequest -> PKCS10 Conversion

From: Stefan Lischke <lischke@googlemail.com>
Date: Wed, 16 May 2007 13:16:31 +0200
Message-ID: <464AE80F.7020008@gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: www-xkms@w3.org

Thanx for pointing me to RFC4210,

I understood that in CMP PoP (proof of possession) can be done in
following ways (register request):

-certification request for a signing key pair
* signing publicKey or sender+publicKeyMac at the Client

-certification request for an encryption key pair
* send private key with request
* Indirect Method: sending back an encrypted certificate, so the client
can only read it when he really owns the privat key
* Challenge-Response Protocol : asking the client to sign something to
verify possession of private key

XKMS is doing PoP with signing the whole <PrototypeKeyBinding> subtree.

So the XKMS-Server can validate ownership of private key, but the
XKMS-Server can not forward this RegisterRequest with CMP to a next
CAuthority, cause he can not provide any of the 3 ways defined above.

So any ideas on how to use an XKMS-Server as Gateway to any CMP or P#10
interfaced PKI?

thanx in advance


Stephen Farrell schrieb:
> Check out the PKIX WG page for CMC & CMP [1]. CMC
> is probably the more popular, though neither protocol
> is that widely deployed. (Or have things changed?)
> You could try a p#10 that's unsiged or signed by
> some other key. I think a lot of products have
> some way to handle p#10 where the signature doesn't
> verify.
> It would be a mistake to get a well-signed p#10
> out of the xkms client since then you're getting
> no benefit from the angle-brackets and shouldn't
> use X-KRSS (you can still benefit from X-KISS
> later of course),
> S.
> [1] http://www.ietf.org/html.charters/pkix-charter.html
> Stefan Lischke wrote:
>> Hi Stephen,
>> Cause many Trustcenters only have simple HTTP p#10 web-interfaces. You
>> send a p#10 request and get a signed certificate with p#7. So
>> unfortunatly i have to use this format ;-(
>> So any Ideas?
>> btw. i'm new to all this security stuff, can you please explain CMS/CMP.
>> Google won't help me with these abbreviations. ;-)
>> Stefan
>> Stephen Farrell schrieb:
>>> Why p#10 out of the xkms server? Using CMC (or even CMP)
>>> would be more appropriate.
>>> Stephen.
>>> Stefan Lischke wrote:
>>>> Hi,
>>>> I have a question about the following use-case. Does anyone has any
>>>> experiences or maybe done the same or has any ideas.
>>>> An XKMS-Client sends an XKRSS-RegisterRequest for certification of an
>>>> already created key-pair. This RegisterRequest is signed with the
>>>> private key with XMLSig at the Client. Now this Request needs to be
>>>> transformed to a PKCS10 Request at the XKMS-Server. But the PKCS10
>>>> Request must also be signed, but the XKMS-Server does not have the
>>>> private key.
>>>> Any Ideas?
>>>> * Maybe send a sign-Request to the XKMS-Client to sign the created
>>>> PKCS10?
>>>> * Is there a way of sending PKCS10 Data inside XKMS?
>>>> thanx in advance for any help or suggestion
>>>> Stefan
Received on Wednesday, 16 May 2007 11:16:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:44 UTC