cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis" <denn...@cox.net>
Subject RE: KMIP Support in CXF (ReST & SOAP)
Date Tue, 02 Jun 2015 16:08:51 GMT
Hello,

If you look at the RSA Conference Demos for the last 5 years where KMIP was used to address/test
a stack
of HSMs, the Yes, it is more widespread that XKMS.

Dennis

-----Original Message-----
From: Sergey Beryozkin [mailto:sberyozkin@gmail.com] 
Sent: Tuesday, June 02, 2015 11:59 AM
To: dev@cxf.apache.org
Subject: Re: KMIP Support in CXF (ReST & SOAP)

Hi

Andrei Shakirin who worked on getting the XKMS code contribution added to CXF is off till
next week, he may have an opinion; IMHO it is good to have multiple relevant options supported
but I'm not sure how easy it is to do KMIP.

Cheers, Sergey

On 02/06/15 09:08, Yossi Cohen wrote:
> Hi,
>
>
>
> We are currently evaluating several technologies for public/private 
> key distribution and rotation and I have two questions I was hoping CXF Dev.
> could address:
>
>
>
> 1.       I noticed CXF added support in XKMS for public keys (e.g., for
> SAML token validation). It appears though that the adoption of KMIP 
> <http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol
> > in industry is more extensive than the adoption of XKMS 
> <http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add 
> support for KMIP? Are there any plans to add this capability and if 
> yes in which version?
>
> 2.       For key rotation we need the previous public key to be left active
> side-by-side with the new public key until all signatures signed using 
> the previous private key are no longer in use (e.g., after session expiration).
> To support that, we need to be able to customize CXF and implement 
> logic that tries first to validate the signature using the new public 
> and upon failure, attempt to re-validate the signature using the 
> previous public key. That way we guarantee that we don’t break 
> existing sessions. WDYT about the logic? If you come to implement KMIP 
> support in CXF, please beware of such customization need.
>
>   *Best Regards,*
> *Yossi Cohen*
>


--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com


Mime
View raw message