Re: XKMS Implementation with CMC PKI

Hi Vincente,

I guess you mean using the id-cmc-getCert message in RFC 2797.
First, that's optional-to-implement for servers and I'd be
surprised if many did do it, though that's just a guess.

Anyway, if what you're doing is putting an xkms front-end in front
of a CMC based X.509 PKI then I don't think you want to use CMC
at just that point - my guess is you'd use ldap and/or http to fetch
some certs based on the xkms locate or validate query, then run
those through the rfc3280 algorithm (or not, as the case may be)
and then answer the xkms query.

You'd only use CMC in that case in response to register/revoke
and perhaps reissue requests. CMC (and CMP) is only really a
very basic certificate retrieval protocol.

I can say though that the *wrong* answer would be to try to
define an issuer/serial variant for xkms locate since that'd
require the xkms client to parse the certificate in almost
all use cases. That'd be bad from an xkms perspective.

Does that help?

I'd be interested in hearing more about your implementation,
to the extent that you can share that.

Cheers,
Stephen.

Vicente D. Guardiola Buitrago wrote:
> 
> Hello,
> 
> I'm implementing an XKMS Service and the underlying PKI implements the 
> CMC standard. But there's some "problems" to make a mapping betwen XKMS 
> operations an CMC, e.g., CMC getCertificcate service needs the Serial 
> Number of the Certificate you want to recover, but in XKMS we can 
> request a Certificate that matches with an e-mail address, for example.
> 
> I want to know if someone has the same problem and if this kind of 
> problems are considered by the WG or there is some recomendation to use 
> an specific protocol to interact with the PKI.
> 
> Thanks
> 
> Vicente Guardiola
> 
> 
> 
>     
>     
>        
> ______________________________________________ Renovamos el Correo 
> Yahoo! Nuevos servicios, más seguridad http://correo.yahoo.es
> 
> 
> 
>

Received on Tuesday, 18 October 2005 16:57:44 UTC