Questions reg. XKMS spec from Kenneth Jensen on 2005-05-17 (www-xkms@w3.org from May 2005)

From: Kenneth Jensen <xmlsec@gmail.com>
Date: Tue, 17 May 2005 19:40:33 +0200
To: www-xkms@w3.org
Message-ID: <c3f7464b050517104032cf2930@mail.gmail.com>
Hello,

I am currently finishing a thesis project centered around XKMS, and I
have a few questions, that I didn't know where else to ask than here,
although I am unsure if this is a "public" list.

Question 1) 
When a Locate service "locates" keybindings, it must match on elements
in the KeyInfo and the UseKeyWith (and KeyUsage) elements in the
QueryKeyBinding.
The KeyBindingAbstractType allows for 0 UseKeyWith elements.
Does that mean that it is allowed to issue a query for a keybinding
matching a particular value of a key? Example (simplified):

<QueryKeyBinding>
  <KeyInfo>
     <RSAKey>
        <Modulus>123</Modulus>
        <Exponent>456</Exponent>
     </RSAKey>
  </KeyInfo>
  <RespondWith>Everything, please</RespondWith>
</QueryKeyBinding>

Does this not pose a security threat (although a practically ignorable one)? 
An attacker can generate a key and let an XKMS service "do the hard
work" of trying to find a matching target. I know the probability of
success is equal to a brute force attack, but the difference (as I see
it) is that this allows the attacker to relay the "key search work" 
to the XKMS service provider.


Question 2) 
Para 222 says that when invoking a Locate service, a Keybinding
matches the query, if:
    *  The key binding contains all the <UseKeyWith> elements
contained in the query, and
    *  The key binding contains all the <KeyInfo> elements contained
in the query.
What about the KeyUsage element? If the query is for a key for
signature verification, then returning an encryption key is of no use?
Is the KeyUsage neglected because some major PKIs don't
support/implement attributes corresponding to this?
Actually, in Para 176 it says:
"If a key usage is specified in a QueryKeyBinding however the key
usage forms part of the criteria the service should attempt to match."

(-and in my implementation KeyUsage IS significant for Locate operations :-)


Question 3) 
There are 3 values for KeyUsage defined, Encryption, Signature and KeyExchange.
I am missing an option for intermediate certificate authorities. Is
that left out on purpose? (and if so, may I ask the arguments for
doing so?) If it is not there, either the value "Signature" can be
interpreted as implying "signing certificates", or one will have to
implement a non-compliant value. I see a practical value of being able
to register CA's (off course not for root-certificates), but maybe I
am missing some point.


Then I have a few things in the spec I don't understand - perhaps
errors/mistypings?

Para 218 ends with: 
"The <UnverifiedKeyBinding> elements returned are specified by the
Respond element in the request."
Shouldn't it say "by the RespondWith element in the request"? The
schema has no such element as <Respond> anyways.

I hope you can help me clear up these questions.

Thanks for your attention.
---
Cheers,
Kenneth
Received on Tuesday, 17 May 2005 17:52:33 UTC