XKMS Facts

This document provides facts related to XKMS for usage in the written part of my diploma thesis.

Content

General

  • XML Key Management Specification
  • Consists of two parts:
    • XKISS (XML Key Information Service Specification)
      • defines a protocol for resolving or validating public keys contained in signed and encrypted XML-Documents [Sh03]
    • XKRSS (XML Key Registration Service Specification)
      • defines a protocol for public key registration, revokation and recovery [Sh03]
  • has a reputation for being notoriously difficult to implement [On02]
  • enables PKI services such as trustworthily registering, locating, and validating keys through XML-encoded messages. [On02]
  • Because XKMS is serviceoriented and uses XML messages, it is only natural that it is implemented as a SOAP-based Web Service giving it the distinction of not only being useful for securing Web Services, but also being available as a Web Service itself [On02]
  • By leveraging the benefits of XML and by learning from past experiences with pre-XML PKI architectures, XKMS makes PKI practical for common use.
  • Like XML Signature, XKMS eliminates the need for ASN.1 functionality in software that deals with digital certificates. It goes further, however, and can allow XML software to use digital certificates and PKI without the need to implement cryptography algorithms. This is useful for software developers, many of whom may not have the time or inclination to delve into cryptography or employ cryptography toolkits.
  • serves as a protocol specification between an XKMS client and an XKMS server in which the XKMS server provides trust services to its clients (in the form of Web services) by performing various PKI (public key infrastructure) operations, such as public key validation, registration, recovery, and revocation on behalf of the clients [Sh03]
  • PKI operations such as public key validation, registration, recovery, and revocation are complex and require large amounts of computing resources, which prevents some applications and small devices such as cell phones from participating in PKI-based e-commerce or Web services transactions [Sh03]

What is XKMS?

Article foundFact
XML Security: Implement security layers, Part 2 - Core technologies -- XML encryption and XML signature [Ve03b] XKMS allows for easy management of public key infrastructure (PKI) by abstracting the complexity of managing the PKI from client applications to a trusted third party.

XKISS : XML Key Information Service

Article foundFact
Sicherheit [Eckert]
Rang 0 GET Certificate

  • Extraktion des Schlüssels durch Client
  • Zertifikatsprüfung durch Client
Rang 1 GET KeyValue

  • Extraktion des Schlüssels durch Trust Service
  • Zertifikatsprüfung durch Client
Rang 2 GET KeyValue and Validity Status

  • Extraktion des Schlüssels durch Trust Service
  • Zertifikatsprüfung durch Trust Service

XKRSS : XML Key Registration Service