- From: <Frederick.Hirsch@nokia.com>
- Date: Thu, 19 Dec 2002 10:37:58 -0500
- To: <www-xkms@w3.org>
Is XKMS should be usable in the context of WS-Security? It should be since WS-Security makes extensive use of keys and signatures, but not depending fully on ds:KeyInfo. Consider the case where you have an XML Signature in the WS-Security SOAP header, and this signature has a ds:KeyInfo containing a SecurityTokenReference element (defined in WS-Security). This SecurityTokenReference element points to a binary security token, also in the WS-Security header. In this context, I might expect to use XKMS to validate the key (X.509 certificate) in the binary security token. for example. Using XKMS I would expect to submit a validate request, containing two items, the KeyInfo AND the binary security token. In addition, the request must indicate that this is the security token case and the linkage. Does this require any change to XKMS? Proposed use: 1. The ValidateRequest contains a QueryKeyBinding. This includes the ds:KeyInfo as part of the QueryKeyBinding abstract type definition. QueryKeyBinding schema can be extended to include a place for the binary security token (ExtendedQueryKeyBinding) and passed in the ValidateRequest. Is this true? 2. How to specify this use case? UseKeyWith Application = URI for WSSecurity/BinarySecurityToken Identifier = wsse:KeyIdentifier or wsu:Id This won't work since identifier is a string valued attribute. But it looks like the schema is open allowing an extension of UseKeyWithType to allow an element content if so needed. regards, Frederick Frederick Hirsch Nokia Mobile Phones
Received on Thursday, 19 December 2002 10:38:46 UTC