Re: XKMS and X509v3 attributes, where to put them in?

Hi Gregorio,

so you mean the only chance to issue Attribute Certificate with a standardized request/response protocol is the usage of an XKMS server? The XKMS server would then act as a CA for ACs as well as PKCs, so the specification would have to be changed, or a "special" kind of XKMS service would have to be implemented. As far as I know XKMS does not support issuing ACs directly.

Since we are using our own XKMS client implementation, we are interested in separating the CA for ACs and the CA for PKCs to stay standard conform and keep the interoperability with other XKMS implementations.

Furthermore I would not like to use SAML attributes for our purposes, but ACs as mentioned before.

Regards,
Michael.


Gregorio Martinez <gregorio@dif.um.es> schrieb: Hi Michael, hi all,

you can find an open-source implementation of XKMS supporting WS from our group at  http://sourceforge.net/projects/xkms  For SAML, we have been also 
doing some research and prototyping, but mostly related with Network Access, so we initially avoid using WS in the design.


Kind regards, Gregorio

Gregorio Martinez, PhD
University of Murcia (UMU), Spain



Michael Wilde wrote:
> Hi Ed,
> 
> I must admit that I am not familiar with SAML yet. Basically I am 
> looking for a standardized way to send and receive messages to a trusted 
> authority that is able to issue Attribute Certificates. The role 
> information has to be included as attribute in such ACs.
> 
> Stephen told me to use SAML but I am still not sure if it is suiteable 
> in the scenario sketched in one of my previous postings. At the moment 
> we are thinking of a solution that uses both PKCs and ACs for 
> authentication and authorization. We use XKMS to request and retreive 
> PKCs and should use SAML (?) for the same reason with ACs.
> 
> Are there any Web services available that could be used for proof of 
> concept testings yet?
> 
> Regards,
> Michael.
> 
> 
> */Ed Simon /* schrieb:
> 
> 
>     In a Web Services context, one could look at starting with an X.509
>     token
>     and then exchanging that, through WS-Trust, for a related SAML token
>     containing the role information.
> 
>     Michael, Manuel, does that sound like it would suit your problem
>     scenario?
> 
>     Regards, Ed
>     _____________________
>     Ed Simon
>     Principal, XMLsec Inc.
>     (613) 726-9645
> 
>     Interested in XML, Web Services, or Security? Visit
>     "http://www.xmlsec.com".
> 
> 
>     New! "Privacy Protection for E-Services" published by Idea Group (ISBN:
>     1-59140-914-4 for hard cover, 1-59140-915-2 for soft cover).
>     Includes a chapter, by Ed Simon, on "Protecting Privacy Using XML,
>     XACML,
>     and SAML".
>     See the Table of Contents here: "http://tinyurl.com/rukr4".
> 
>     -----Original Message-----
>     From: www-xkms-request@w3.org [mailto:www-xkms-request@w3.org] On
>     Behalf Of
>     Stephen Farrell
>     Sent: October 17, 2006 08:14
>     To: Michael Wilde
>     Cc: www-xkms@w3.org
>     Subject: Re: XKMS and X509v3 attributes, where to put them in?
> 
> 
> 
> 
>     Michael Wilde wrote:
>      > This raises the question: is there any standardized request/response
>      > protocol available for the communication with an Attribute
>     Authority yet?
> 
>     SAML.
> 
>     S.
> 
> 
> 
> ------------------------------------------------------------------------
> NEU: Fragen stellen - Wissen, Meinungen und Erfahrungen teilen. Jetzt 
> auf Yahoo! Clever 
> . 
> 



 		
---------------------------------
Keine Lust auf Tippen? Rufen Sie Ihre Freunde einfach an.
  Yahoo! Messenger. Jetzt installieren . 

Received on Monday, 23 October 2006 10:38:39 UTC