Chapter 14. XKMS: XML Key Management

The XKMS XML Key Management system has two goals:

• To minimize the effort required by clients to obtain keys and verify trust in them by providing a server or servers with which the client can have a trust relationship. This server or servers can then unload several tasks from the client: locating servers from which to obtain revocation information, obtaining and using revocation information, validating chains of certificates, and more.

• To provide, where appropriate, central control of policy among a group of clients by implementing that policy at the XKMS server or servers used by those clients.

The key management system consists of two parts:

• The Key Information Service, for obtaining keys and information about keys

• The Key Registration Service, for populating the database that a Key Information Service consults either directly, if queries are sent to the server hosting the database, or indirectly through queries from other servers

XKMS is an ongoing specification effort for which a working group was formed by the W3C in December 2001 [XKMS WG]. This chapter is based on the W3C Note by Verisign, Microsoft, and webMethods [XKMS]. Many details of the final recommendations of the new working group will undoubtedly differ from that Note, but the basic capabilities will likely include those described here. In a few cases, inconsistencies and undefined areas in the Note have already been resolved [XKMS 2]. You should interpret assertions made about XKMS in this chapter in light of this fact.

XKMS uses SOAP (see Chapter 8) for communications. An implementation could, however, use other transport wrappings and similar services or, in principle, even use encodings other than XML.