XKMS

Team-Fly    

 
XML, Web Services, and the Data Revolution
By Frank  P.  Coyle
Table of Contents
Chapter 7.   XML Security


XKMS works with public-key infrastructures .

XKMS is a W3C initiative that targets the delegation of trust processing decisions to one or more specialized trust processors, to give businesses an easier way to manage digital signatures and data encryption. Instead of relying on proprietary public-key infrastructure (PKI) implementations , companies can use standard interfaces to work with different vendors to handle issues surrounding digital certification checking, revocation status checking, and validation. XKMS allows these functions to be performed through standard interfaces so that financial institutions, for example, won't have to care what type of PKI system a company has implemented in order to do business with them.

XKMS was submitted to the W3C by Microsoft, VeriSign, and webMethods and is backed by a range of companies including Baltimore Technologies, Entrust, HP, IBM, Iona Technologies, Reuters, and RSA Security. As Figure 7.4 shows, XKMS is one of the three W3C specifications that define the XML security architecture.

XKMS Structure

XKMS

XKMS specifies protocols for distributing and registering public keys and is suitable for use in conjunction with the proposed standard for XML Signature and as a companion standard for XML Encryption. XKMS has two parts : the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS).

X-KISS

X-KISS

X-KISS defines a protocol for a trust service that resolves public-key information contained in documents that conform to the XML Signature specification. The X-KISS protocol allows a client of such a service to delegate part or all of the tasks required to process the XML Signature ds:KeyInfo element. A basic objective of the protocol design is to minimize the complexity of application implementations by allowing them to become clients and thereby to be shielded from the complexity and syntax of the underlying PKI used to establish trust relationships. The underlying PKI may be based upon a different specification, such as X.509, the international standard for public-key certificates, or Pretty Good Privacy (PGP), the widely available public-key encryption system.

By design, the XML Signature specification does not mandate use of a particular trust policy. The signer of a document is not required to include any key information but may include a ds:KeyInfo element that specifies the key itself, a key name , X.509 certificate, a PGP Key Identifier, and so on. Alternatively, a link may be provided to a location where the full ds:KeyInfo information may be found.

XML Signature makes no assumptions about PKI.

X-KRSS

X-KRSS.

X-KRSS defines a protocol for a Web service that accepts registration of public-key information. Once registered, the public key may be used in conjunction with other Web services, including X-KISS. A client of a conforming service may request that the registration service bind information to a public key. The information bound may include a name, an identifier, or extended attributes defined by the implementation.

The key pair to which the information is bound may be generated in advance by the client or, to support key recovery, may be generated on request by the service. The registration protocol may also be used for subsequent recovery of a private key. The protocol provides for authentication of the applicant and, in case the key pair is generated by the client, proof of possession of the private key. A means of communicating the private key to the client is provided in cases where the private key is generated by the registration service.


Team-Fly    
Top


XML, Web Services, and the Data Revolution
XML, Web Services, and the Data Revolution
ISBN: 0201776413
EAN: 2147483647
Year: 2002
Pages: 106
Authors: Frank Coyle

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net