W3C home > Mailing lists > Public > www-xkms@w3.org > December 2005

Re: Determinig Server o Client use in XKMS

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Fri, 02 Dec 2005 22:26:58 +0000
Message-ID: <4390CA32.1020206@cs.tcd.ie>
To: "Vicente D. Guardiola Buitrago" <vicentedavid81@yahoo.es>
CC: www-xkms@w3.org

The problem is the slipperly slope. If your xkms responder is
in front of an x.509 pki, then there're a million different
potential options that could apply. If we were to allow each
of those to be explicitly represented in the xkms protocol,
then we'd be back with CMC/CMP and we do know that more or
less no-one's using those.

So, my take would be to use different URLs where possible, but
of couse maybe there're specific arguments to do otherwise in
some circumstances. I can't think of any right now though.

In the particular case, you have to configure the service
URLs in any case, so why not give out different ones to
clients (mozilla, firefox etc.) and servers (apache, etc.)?
(Or, your responder could be clever about who's a client
and who isn't, e.g. based on some internal/enterprise-level


Vicente D. Guardiola Buitrago wrote:
> Hello,
> I've been thinking about the solution you gave me in this e-mail but I
> want to give another situation: HTTPS.
> In HTTPS the Server/Client roles are clearly differentiated. Then, in 
> the case I want
> to make a registation request for a Certificate to use in HTTPS, I need 
> to know if
> it will be used as server or client.
> According your recommendation, I have to publish the service in a URL in 
> which
> clients request for HTTPS Server Certificates and another in which 
> clients request for
> HTTPS Client Certificates. But, in this situation, every client that 
> wants to use my service
> have to know that depending on the requested data they have to use 
> different URLs,
> so a client has to be aware about this kind of  peculiarities that 
> depend on
> the concrete XKMS server.
> Are we right on this approach?? should we continue in this direction or 
> address the problem in a different way??
> Thanks a lot,
> Vicente D. Guardiola
> University of Murcia (Spain)
> Stephen Farrell wrote:
>> I guess you could either define a new UseKeyWith for a VPN g/w
>> (is this really for tunnel mode g/w? there aren't really any
>> clients/servers for IPsec are there.)
>> Or, just configure different service URLs the responder, so
>> that requests to one use profile A, whereas requests to the
>> other use profile B.
>> 2nd one should be easier I guess, so long as the same entity
>> isn't playing both IPsec "roles" at different times.
>> S.
>> Vicente D. Guardiola Buitrago wrote:
>>> Hello,
>>> I'm implementing a XKMS Server and I've a doubt.
>>> My underlying PKI is based on X.509 Certificate, and the problem 
>>> raises when I have to check the KeyUsage and UseKeyWith for the 
>>> requested Key binding in the found certificates. For instance, let be 
>>> a Request with a UseKeyWith for IPSEC with IP A.B.C.D  and KeyUsage 
>>> Signature and Excryption. This is a typical request, but in X.509 
>>> Certificate I need to know if the certificate is going to be used in 
>>> a Client or a Server, because the necessary extensions are different 
>>> in either situation.
>>> Then, the question is, how can I determine if a request is for a 
>>> Client or a Server?
>>> Thanks,
>>> Vicente Guardiola
>>> University of Murcia (Spain)
> ______________________________________________ Renovamos el Correo 
> Yahoo! Nuevos servicios, más seguridad http://correo.yahoo.es
Received on Friday, 2 December 2005 22:27:56 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:44 UTC