- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Wed, 27 Nov 2002 19:16:38 -0800
- To: Frederick.Hirsch@nokia.com, www-xkms@w3.org
- Message-ID: <CE541259607DE94CA2A23816FB49F4A34D600A@vhqpostal6.verisign.com>
No, doing that would require that XKMS included the WSSE schema which is not yet finished. There are two ways that we could go forward, one would be to put back the original any - which has problems (to say the least!) The other would be to define an extended form of KeyBinding that allowed a security token to be included. We should probaly consider this case carefully. I am not conviced that security reference is the way forward. I would prefer to index the objects that security reference can index, or more likely specify them directly. We should at any rate work out a mechanism that allows us to add an element into a key binding without having to rely on any or require us to redefine each of the derrived key binding types. I am somewhat unconvinced as to the applicability of the XKMS messages to non-PKI security tokens. Kerberos tickets are closely bound to the idea of key exchange (see my work on XKASS). Anything like a SAML token is at a layer where one would expect the management protocol to be able to rely on a PKI for authentication the lack of which (bootstrap problem) is a major constraint on XKRSS. Phill > -----Original Message----- > From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] > Sent: Wednesday, November 27, 2002 3:14 PM > To: www-xkms@w3.org > Subject: XKMS and WS-Security > > > > I have a question regarding the use of XKMS > in conjunction with WS-Security. > > I'm thinking that a WS-Security endpoint might wish to use an XKMS > server to validate an X.509 security token. This could be a > BinarySecurityToken with ValueType wsse:X509v3 for example. Since > WS-Security recommends the use of such tokens instead > of KeyInfo, to make use of XKMS I would expect to pass in > such a token > to the XKMS server. > > Is that a reasonable use case? Is the alternative to > transform the token > into the appropriate KeyInfo structure? > > If it makes sense to pass a token directly to the XKMS > server, would it > make sense to add an optional element to the > KeyBindingAbstractType to > allow a WS-Security token to be passed to the XKMS server in a > QueryKeyBinding? > > Should we make the KeyBindingAbstractType > > <sequence> > <choice > <element ref="xkms:KeyInfo" minOccurs="0"/> > <element ref="wsse:BinarySecurityToken" minOccurs="0"/> > </choice> > <element KeyUsage" minOccurs="0" maxOccurs="3"/> > <element UseKeyWith" minOccurs="0" maxOccurs="unbounded"/> > <element ref="xkms:PolicyIdentifier" minOccurs="0 > maxOccurs="unbounded"/> > </sequence> > > with text to indicate that the ValueType is restricted to > types the XKMS > server is prepared to process? > > regards, Frederick > > Frederick Hirsch > Nokia Mobile Phones > >
Received on Wednesday, 27 November 2002 22:16:48 UTC