XML Key Management Specification

XKMS (XML Key Management Specification) is a specification of validation and recording of public key usable in a way joint to the Signature XML and suggested in particular by Microsoft and Verisign with W3C.

Objectives

The main aims of XKMS (XML Key Management Specification) are:
  1. to provide a protocol of validation and recording of the public key enters the Web applications and the Web service.
  2. to eliminate the need for an application to manage syntax and semantics complexes PKI by using a simple protocol formatted in XML in order to obtain information on a key near a service XKMS;
  3. to move the complexity of the customer application to the level of the infrastructure, thus making the application simpler and small.

History

XKMS is developed by XKMS Working Group of W3C. The first working paper on XKMS was published on March 18th, 2002. A second document left on April 18th, 2003.

Description

XKMS is intended to be implemented as a Service Web making it possible a customer to reach functions which one finds in the standards of the Infrastructure to public keys (PKI).

Specification XKMS is made up of two protocols:

  1. X-KISS (XML Key Information Service Specification) for the requests of localization and validation of the public keys;
  2. X-KRSS (XML Key Registration Service Specification) to record, renew, revoke and obtain keys.

XKISS

This protocol of XKMS manages the mechanism of localization and validation of the keys

Specification XKISS defines the two following operations: ; Locate: locate the service to obtain information on the public key corresponding to the element < ds: KeyInfo> . This operation is not obliged to come to a conclusion about the validity of the data related to the key; it can make it possible to relay the request towards other services or to behave like footbridge towards a PKI. ; Validate: not only she seeks the public key corresponding to the element < ds: KeyInfo> , but it also ensures that the related informations with the key turned over are worthy of confidence.

XKRSS

This protocol of XKMS is related to the mechanism of recording of one pair of keys near a service provider. There exist two ways of recording keys near a service XKMS:

  1. the customer generates a pair of keys and gives its public key, with other information with the service of recording;

  2. service XKMS generates the pair for the customer, records the public key and sends the key deprived to the customer. The customer can also request from department XKMS to keep the private key. The private key is preserved by the service if the customer would lose it.

The specification of service XKRSS defines four operations: ; Register: attaches information to a key with a key binding . Either the customer gives his public key accompanied by a proof of the possession of the associated private key, or the service generates the pair of keys for the customer. The service can require more information of the customer before recording the public key (and possibly the private key). ; Reissue: a key binding recorded is regenerated. New credentials is generated in the subjacent PKI. Even if lifespan ago for a key binding XKMS, the credentials generated by the PKI can have some and must thus be regenerated periodically. ; Revoke: this operation makes it possible a customer to destroy the objects of data attached to a key. For example, a certificate X.509 attached to a key of a service XKMS is destroyed when this operation is called; ; Recover: this operation makes it possible a customer to recover his private key. So that this operation is possible, it is necessary that the private key was recorded by the service. One in the ways for the service of obtaining this key is when the service generates a pair of keys.

The operation of covering is very useful if the private key is used to quantify data. If it is lost, the statistical data become inaccessible and are thus lost. In this case, it is interesting to generate the private key side waiter and to memorize it.

If the lost private key were only used to sign documents, a new key can be generated without influence on the validity of the existing signed documents. Thus, the keys used accordingly can be generated by the customer in full safety, and the private key should never be recorded by service.

A service XKMS implementing specification XKRSS can choose to offer some, all or any of these operations. Specification XKRSS does not oblige a service XKMS to implement one or the other of these operations.

Random links:Recording Industry Association off America | Legicentrism | Trout au bleu | Party of the democratic left (Ecuador) | The Currency of Paris | Couche_réseau