Re: XKMS RegisterRequest -> PKCS10 Conversion

Check out the PKIX WG page for CMC & CMP [1]. CMC
is probably the more popular, though neither protocol
is that widely deployed. (Or have things changed?)

You could try a p#10 that's unsiged or signed by
some other key. I think a lot of products have
some way to handle p#10 where the signature doesn't
verify.

It would be a mistake to get a well-signed p#10
out of the xkms client since then you're getting
no benefit from the angle-brackets and shouldn't
use X-KRSS (you can still benefit from X-KISS
later of course),

S.

[1] http://www.ietf.org/html.charters/pkix-charter.html

Stefan Lischke wrote:
> Hi Stephen,
> 
> Cause many Trustcenters only have simple HTTP p#10 web-interfaces. You
> send a p#10 request and get a signed certificate with p#7. So 
> unfortunatly i have to use this format ;-(
> So any Ideas?
> 
> btw. i'm new to all this security stuff, can you please explain CMS/CMP.
> Google won't help me with these abbreviations. ;-)
> 
> Stefan
>  
> Stephen Farrell schrieb:
>> Why p#10 out of the xkms server? Using CMC (or even CMP)
>> would be more appropriate.
>>
>> Stephen.
>>
>> Stefan Lischke wrote:
>>> Hi,
>>>
>>> I have a question about the following use-case. Does anyone has any
>>> experiences or maybe done the same or has any ideas.
>>>
>>> An XKMS-Client sends an XKRSS-RegisterRequest for certification of an
>>> already created key-pair. This RegisterRequest is signed with the
>>> private key with XMLSig at the Client. Now this Request needs to be
>>> transformed to a PKCS10 Request at the XKMS-Server. But the PKCS10
>>> Request must also be signed, but the XKMS-Server does not have the
>>> private key.
>>>
>>> Any Ideas?
>>>
>>> * Maybe send a sign-Request to the XKMS-Client to sign the created
>>> PKCS10?
>>> * Is there a way of sending PKCS10 Data inside XKMS?
>>>
>>> thanx in advance for any help or suggestion
>>>
>>> Stefan
>>>
>>>
>>>
>>>
>>>
> 
> 
>

Received on Tuesday, 15 May 2007 16:29:10 UTC