The XKMS Protocol


The XKMS specification defines two Web Services. The XML Key Registration Service Specification supports operations that manage the life cycle of public key credentials. The XML Key Information Service Specification (X-KISS) supports query operations that obtain and validate public key credentials. An XKMS service may support X-KRSS operations, X-KISS operations, or both.

Before discussing how X-KRSS and X-KISS allow public key credentials to be obtained and managed, we first consider the credentials themselves. XKMS is designed to provide an interface to any form of PKI. As such, the credentials managed by the PKI might have the form of X.509 certificates, PGP key signings, or possibly some new form of credential yet to be defined. In order to avoid committing XKMS to the design decisions of any one PKI, a new PKI credential is defined: the key binding association.

Key Binding Association

A key binding association is an assertion that the holder of the private key corresponding to a specified public key is associated with one or more identities and Internet protocol addresses.

This somewhat abstract definition is best explained by way of an example. If Bob holds the private key corresponding to the public key X, a key binding association might be created to state that fact. For the purposes of communicating with Internet users, a key binding association linking a public key to a real-world name is rather less useful than one that links the public key to an e-mail address, online chat service, or other form of Internet address.

For example, the following example of a key binding states that a particular set of RSA public key parameters (a modulus and exponent value) may be used with the protocol S/MIME (described in RFC 2633) for e-mail sent to or received from the e-mail address bob@bobcorp.test:

<KeyBinding>     <KeyInfo>         <ds:KeyValue>             <ds:RSAKeyValue>                 <ds:Modulus>4i0BEhQ8Jc4tjwZYbvtMyYfBrIGOMx34K4Cdo2pAzo GnV679FLmGHWnQy2cSj39hf5D1mIaPyD3j/33TdfglTaaKqp7IPf6ei754fOuI/r1HpX7uq sw+j9LC4Z7GnG3yoY/eBJOZ8TRwMnx+MkwmopXPVLvhMWRyiUOcO3SEkTE=</ds:Modulus>                 <ds:Exponent>AQAB</ds:Exponent>             </ds:RSAKeyValue>         </ds:KeyValue>     <UseKeyWith Application="urn:ietf:rfc:2633" Identifier="bob@bobcorp.test" /> </KeyBinding> 

The XKMS key-binding element makes use of the KeyInfo element defined in XML Signature to specify the public key credentials. In this particular case, the public key credentials consist of the actual RSA public key parameters that an e-mail client would use to send encrypted e-mail to Bob. In the general case, however, the key binding may include any of the credentials supported by the XML Signature KeyInfo element—for example:

  • An X.509 certificate

  • A PGP key

  • A SPKI certificate

  • The actual cryptographic parameters of the key

  • A new public key credential type

  • A location from which any of the above may be obtained

The key binding associates the public key credential with additional information that allows an application to use it—for example:

  • The cryptographic functions allowed for use with the credential: signature, encryption, and key exchange

  • The application protocols that the credential may be used with such as S/MIME secure e-mail, SSL transport layer security, or IPSEC

  • The earliest time the key binding information is valid and the time at which it has expired

  • The status of the key binding information

XKMS defines four elements that define either an actual instance of a key binding or a request for a key binding to be found or created:

  • KeyBinding A key binding instance issued by a trusted source that has been validated by that issuer

  • UnverifiedKeyBinding A key binding instance issued by an untrusted source that requires verification

  • QueryKeyBinding A template used to request a key binding instance using query by example

  • PrototypeKeyBinding A template specifying the requested parameters of a key binding to be registered

Table 8-2 describes the members of the KeyBinding element.

Table 8-2: Members of the KeyBinding Element

Item

Description

Id@

A unique identifier for the key binding

Status

The key binding status

Status/StatusValue@

A QName that specifies the status of the key binding. Allowable values are xkms:Valid, xkms:Invalid, and xkms:Indeterminate

Status/ValidReason Status/InvalidReason Status/IndeterminateReason

Optional elements that specify the aspects of the key binding status that were determined to be valid, invalid, and indeterminate

ValidityInterval

The validity interval in which the particular instance of the key binding has the specified validity

ValidityInterval/NotBefore@

The time instant at which the validity interval begins

ValidityInterval/NotOnOrAfter@

The time instant at which the validity interval has ended

KeyInfo

The public key credentials to which the key binding association relates. The credentials may be specified as an actual key value, an X.509 certificate, PGP key signing, or any other form of public key credential supported by the XML Signature specification

KeyUsage

A QName that specifies the cryptographic key uses for which the key may be used. Allowable values are xkms:Encryption, xksm:Signature, and xkms:Exchange

UseKeyWith

The UseKeyWith element specifies a particular application and identifier with which the credentials specified in the key binding may be used

UseKeyWith/Application

A URI that specifies the application protocol with which the credential may be used. The specification defines values to be used for commonly used security protocols such as S/MIME, SSL, and IPSEC; other protocols may be specified by defining an appropriate URI

UseKeyWith/Identifier

Specifies the subject to which the credential corresponds within the specified application protocol

PolicyIdentifier/Policy@

A URI identifying the issuance policy

XKMS Protocol

The XKMS protocol is essentially a request-response protocol layered on SOAP, with optional embellishments described at the end of the chapter.

The request and result messages used in the individual XKMS operations share a common format. These common members are defined in Table 8-3.

Table 8-3: Members Common to Request and Result Elements

Item

Description

Id@

A unique identifier for the message

Service@

The service URI of the XKMS service

Nonce@

Randomly generated information that is used in the extended protocol processing options to defeat replay and denial of service attacks

ds:Signature

An enveloped XML Signature that authenticates the XKMS message

OpaqueClientData

Optional information supplied by the client in a request that is returned unmodified in the response

Additional members are defined for request messages, allowing the client to specify the protocol options it supports, the types of and maximum quantity of information to be provided in the response, and additional information used in the extended protocol options. These additional members are described in Table 8-4.

Table 8-4: Members of the Request Element

Item

Description

ResponseMechanism

Specifies any extended protocol options supported by the client for this request, such as asynchronous processing or the two-phase protocol. Multiple ResponseMechanism values may be specified

RespondWith

Specifies a data type that the client requests be present in the response, such as a key value, an X.509 certificate, or a certificate chain. Multiple RespondWith values may be specified

PendingNotification

Optionally specifies a means of notifying completion of the operation when asynchronous processing is used

OriginalRequestID@

This attribute is used in the extended protocol to specify the Id attribute of the initial request in a multistage request

ResponseLimit@

The maximum number of key binding elements that the service should return in a response

Additional members are defined for request messages, allowing the service to specify the result of the operation (success, failure, and so on) and binding the request to the response by means of the request Id. These additional members are described in Table 8-5.

Table 8-5: Members of the Response Element

Item

Description

ResultMajor

The principal result code of the XKMS operation

ResultMinor

The secondary result code of the XKMS operation, giving additional information such as a reason for the result

RequestId

The Id attribute of the corresponding request




Web Services Security
Web Services Security
ISBN: 0072224711
EAN: 2147483647
Year: 2003
Pages: 105
Authors: Mark ONeill

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net