- From: Gregorio Martinez <gregorio@dif.um.es>
- Date: Wed, 19 Oct 2005 16:58:07 +0200
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Cc: Vicente David Guardiola Buitrago <vdgb1@alu.um.es>, UMU-PKIv6 Administrators <umu-pkiv6-admin@dif.um.es>, XKMS WG <www-xkms@w3.org>
Hi Stephen, hi all, thanks for your answer, which clarifies our doubt; we will be modifying our design and implementation in the direction you are suggesting in your email, i.e., the use of LDAP/HTTP for certificate recovery/validation (although SCVP and OCSP will be also supported in the case of certificate validation) and CMC/CMP for registering, revoking and reissuing certificates. Regarding the details of our work, and as one of the persons in our group working on PKI-related issues, I can comment that we are designing the basic modules of an extensible XKMS proxy and developing them to build an XKMS front-end for PKI software; regarding our testing it will be mainly based on our PKI implementation, named UMU-PKIv6 (http://pki.dif.um.es) and the different scenarios (and tools) where we are currently using public crypto and certain XML-based message processing (some of them are listed at: http://pki.dif.um.es/environments/). As soon as we progress on this, we will be glad to share our experience with you and the members of this list. Thanks, regards, Gregorio Gregorio Martinez, PhD University of Murcia (UMU), Spain > > Hi Vincente, > > I guess you mean using the id-cmc-getCert message in RFC 2797. > First, that's optional-to-implement for servers and I'd be > surprised if many did do it, though that's just a guess. > > Anyway, if what you're doing is putting an xkms front-end in front > of a CMC based X.509 PKI then I don't think you want to use CMC > at just that point - my guess is you'd use ldap and/or http to fetch > some certs based on the xkms locate or validate query, then run > those through the rfc3280 algorithm (or not, as the case may be) > and then answer the xkms query. > > You'd only use CMC in that case in response to register/revoke > and perhaps reissue requests. CMC (and CMP) is only really a > very basic certificate retrieval protocol. > > I can say though that the *wrong* answer would be to try to > define an issuer/serial variant for xkms locate since that'd > require the xkms client to parse the certificate in almost > all use cases. That'd be bad from an xkms perspective. > > Does that help? > > I'd be interested in hearing more about your implementation, > to the extent that you can share that. > > Cheers, > Stephen. > > Vicente D. Guardiola Buitrago wrote: > >> >> Hello, >> >> I'm implementing an XKMS Service and the underlying PKI implements the >> CMC standard. But there's some "problems" to make a mapping betwen >> XKMS operations an CMC, e.g., CMC getCertificcate service needs the >> Serial Number of the Certificate you want to recover, but in XKMS we >> can request a Certificate that matches with an e-mail address, for >> example. >> >> I want to know if someone has the same problem and if this kind of >> problems are considered by the WG or there is some recomendation to >> use an specific protocol to interact with the PKI. >> >> Thanks >> >> Vicente Guardiola >> >> >> >> ______________________________________________ >> Renovamos el Correo Yahoo! Nuevos servicios, más seguridad >> http://correo.yahoo.es >> >> >> >> > >
Received on Thursday, 20 October 2005 03:19:11 UTC