- From: Aleksey Sanin <aleksey@aleksey.com>
- Date: Wed, 30 Apr 2003 22:03:20 -0700
- To: www-xkms@w3.org
Hi, All! I am preparing to do the XKMS 2 implementation in XML Security Library (http://www.aleksey.com/xmlsec) and after reading the spec I found some issues: 0) As far as can see, there is no way to specify the desired key type (RSA/DSA/...) in <xkms:LocateRequest/> or <xkms:ValidateRequest/>. This is not a major problem because XKISS server may return a list of keys but I think that in most case the desired key type is known to the client and could be used to narrow key search on the server side (and reduce network traffic :) ). For example, I can easily imagine that RSA and DSA keys would be stored in different database tables. Key type may limit key search to one table instead of two. 1) It does not seem that there is a way to use symmetric keys. While public key cryptography is became more and more afordable, there are still situations when symmetric key cryptography is usefull either because of performance, legacy or some other reasons. An use case example might be a couple of high traffic servers when one stores some sensitive data on the client in an encrypted format (say, in cookies) and another one decrypt this data. These two servers may use XKISS server as a central keys storage (for example, to provide keys rotation). Using symmetric keys might be desirable because of performance reasons as well as small encrypted data size. 2) In the schema for <xkms:ValidityInreval/> element "NotBefore" and "NotAfter" attributes do not have "use=\"optional\"" specified. 3) The "maxOccurs=\"3\"" for <xkms:KeyUsage/> element may prevent schema extension in the future, I would suggest to change this to "maxOccurs=\"unbound\"". Most likely it's already too late to for any changes but I would like to note these issues. Also I wonder if there exist any kind of interop test suite (I could not find one on the XKMS working group page). Thanks, Aleksey Sanin
Received on Thursday, 1 May 2003 01:04:03 UTC