cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > XML Key Management Service (XKMS)
Date Wed, 01 May 2013 19:34:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29">XML
Key Management Service (XKMS)</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~ashakirin">Andrei
Shakirin</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h2. XKMS Specification <br>
<br></td></tr>
            <tr><td class="diff-changed-lines" >W3C specifies standard protocol
to distribute and register public <span class="diff-changed-words">keys<span class="diff-added-chars"style="background-color:
#dfd;">, certificates and CAs</span></span> that can be used for XML-based
cryptography, including signature and encryption: [XML Key Management Specification|http://www.w3.org/TR/xkms2/]
(XKMS 2.0). <br></td></tr>
            <tr><td class="diff-unchanged" >The XKMS Specification comprises two
parts – the XML Key Information Service Specification (XKISS) describing the runtime aspects
of key lookup and certificate validation and the XML Key Registration Service Specification
(XKRSS) describing the administrative aspects of registering, renewing, revoking and recovering
certificates. <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="XMLKeyManagementService%28XKMS%29-XMLKeyManagementService%28XKMS%29"></a>XML
Key Management Service (XKMS)</h1>

<h2><a name="XMLKeyManagementService%28XKMS%29-Usecase"></a>Use case</h2>

<p>CXF security uses asymmetric algorithms for different purposes: encryption of symmetric
keys and payloads, signing security tokens and messages, proof of possession.<br/>
Normally the public keys (in form of X509 certificates) are stored in java keystores.</p>

<p>For example, if sender encrypts the message payload sending to the receiver, he should
have access to receiver certificate saved in local keystore. <br/>
The sender uses this certificate for message encryption and receiver decrypts request with
corresponded own private key:</p>


<p><span class="image-wrap" style=""><img src="/confluence/download/attachments/31820321/classic-message-encryption.jpg?version=1&amp;modificationDate=1367436712000"
style="border: 0px solid black" /></span></p>


<p>Seems to be OK? Imagine now that you have production environment with 100 different
clients of this service and service certificate is expired. You should reissue and replace
certificate in ALL client keystores! Even more, if keystores are packaged into war files or
OSGi bundles – they should be unpackaged and updated. Not really acceptable for enterprise
environments.</p>

<p>Therefore large service landscapes support central certificates management. It means
that X509 certificates are not stored locally in keystores, but are provided and administrated
centrally.</p>

<p>Normally it is a responsibility of <a href="http://en.wikipedia.org/wiki/Public-key_infrastructure"
class="external-link" rel="nofollow">Public Key Infrastructure</a> (PKI) established
in organization. PKI is responsible to create, manage, store, distribute, synchronize and
revoke public certificates and certification authorities (CAs).</p>

<h2><a name="XMLKeyManagementService%28XKMS%29-XKMSSpecification"></a>XKMS
Specification</h2>

<p>W3C specifies standard protocol to distribute and register public keys, certificates
and CAs that can be used for XML-based cryptography, including signature and encryption: <a
href="http://www.w3.org/TR/xkms2/" class="external-link" rel="nofollow">XML Key Management
Specification</a> (XKMS 2.0).<br/>
The XKMS Specification comprises two parts – the XML Key Information Service Specification
(XKISS) describing the runtime aspects of key lookup and certificate validation and the XML
Key Registration Service Specification (XKRSS) describing the administrative aspects of registering,
renewing, revoking and recovering certificates.</p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=31820321&revisedVersion=2&originalVersion=1">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message