W3C home > Mailing lists > Public > www-xkms@w3.org > May 2005

Questions reg. XKMS spec

From: Kenneth Jensen <xmlsec@gmail.com>
Date: Tue, 17 May 2005 19:40:33 +0200
Message-ID: <c3f7464b050517104032cf2930@mail.gmail.com>
To: www-xkms@w3.org


I am currently finishing a thesis project centered around XKMS, and I
have a few questions, that I didn't know where else to ask than here,
although I am unsure if this is a "public" list.

Question 1) 
When a Locate service "locates" keybindings, it must match on elements
in the KeyInfo and the UseKeyWith (and KeyUsage) elements in the
The KeyBindingAbstractType allows for 0 UseKeyWith elements.
Does that mean that it is allowed to issue a query for a keybinding
matching a particular value of a key? Example (simplified):

  <RespondWith>Everything, please</RespondWith>

Does this not pose a security threat (although a practically ignorable one)? 
An attacker can generate a key and let an XKMS service "do the hard
work" of trying to find a matching target. I know the probability of
success is equal to a brute force attack, but the difference (as I see
it) is that this allows the attacker to relay the "key search work" 
to the XKMS service provider.

Question 2) 
Para 222 says that when invoking a Locate service, a Keybinding
matches the query, if:
    *  The key binding contains all the <UseKeyWith> elements
contained in the query, and
    *  The key binding contains all the <KeyInfo> elements contained
in the query.
What about the KeyUsage element? If the query is for a key for
signature verification, then returning an encryption key is of no use?
Is the KeyUsage neglected because some major PKIs don't
support/implement attributes corresponding to this?
Actually, in Para 176 it says:
"If a key usage is specified in a QueryKeyBinding however the key
usage forms part of the criteria the service should attempt to match."

(-and in my implementation KeyUsage IS significant for Locate operations :-)

Question 3) 
There are 3 values for KeyUsage defined, Encryption, Signature and KeyExchange.
I am missing an option for intermediate certificate authorities. Is
that left out on purpose? (and if so, may I ask the arguments for
doing so?) If it is not there, either the value "Signature" can be
interpreted as implying "signing certificates", or one will have to
implement a non-compliant value. I see a practical value of being able
to register CA's (off course not for root-certificates), but maybe I
am missing some point.

Then I have a few things in the spec I don't understand - perhaps

Para 218 ends with: 
"The <UnverifiedKeyBinding> elements returned are specified by the
Respond element in the request."
Shouldn't it say "by the RespondWith element in the request"? The
schema has no such element as <Respond> anyways.

I hope you can help me clear up these questions.

Thanks for your attention.
Received on Tuesday, 17 May 2005 17:52:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:44 UTC