XKMS and WS-Security

Currently the XKMS working group at the W3C is producing a specification
to allow public key registration, management and validation using a
web services interface[1]. This can be used to enable light-weight client integration
with public key management systems such as PKI.

The current XKMS specification assumes the use of ds:KeyInfo to convey key information, but
the XML schema is also designed to be extensible.

The WS-Security work uses a slightly different model than XML Signature and XML Encryption,
in that key information is typically conveyed in a security token, such as defined in the
WSS X509 binding, referenced from KeyInfo using a SecurityTokenReference.

One potential issue is that both the ds:KeyInfo (containing a SecurityTokenReference) and the token
might need to be conveyed to an XKMS server for validation. Currently the XKMS specification defines
a mechanism where only the KeyInfo is conveyed. A potential solution is to extend the schema to 
define an element to convey both (extend QueryKeyBinding), and extend UseKeyWith definitions for WSS.
Another alternative is for a client to construct a single KeyInfo incorporating the necessary token 
information before using XKMS.

I am posting this message to both the XKMS and WSS lists to raise awareness of the possible relationship
of the two activities, to mention the technical issue, and to understand both potential solutions as well
as process suggestions.

Is the use of XKMS in conjunction with WS-Security a reasonable model for public key pairs? Does it make
sense to address the XKMS validation of X509 tokens in the X509 binding document? 

regards, Frederick
 
Frederick Hirsch
Nokia Mobile Phones


[1] http://www.w3.org/2001/XKMS/

Received on Thursday, 19 December 2002 13:22:02 UTC