cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: KMIP Support in CXF (ReST & SOAP)
Date Tue, 02 Jun 2015 15:59:15 GMT
Hi

Andrei Shakirin who worked on getting the XKMS code contribution added 
to CXF is off till next week, he may have an opinion; IMHO it is good to 
have multiple relevant options supported but I'm not sure how easy it is 
to do KMIP.

Cheers, Sergey

On 02/06/15 09:08, Yossi Cohen wrote:
> Hi,
>
>
>
> We are currently evaluating several technologies for public/private key
> distribution and rotation and I have two questions I was hoping CXF Dev.
> could address:
>
>
>
> 1.       I noticed CXF added support in XKMS for public keys (e.g., for
> SAML token validation). It appears though that the adoption of KMIP
> <http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol> in
> industry is more extensive than the adoption of XKMS
> <http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add
> support for KMIP? Are there any plans to add this capability and if yes in
> which version?
>
> 2.       For key rotation we need the previous public key to be left active
> side-by-side with the new public key until all signatures signed using the
> previous private key are no longer in use (e.g., after session expiration).
> To support that, we need to be able to customize CXF and implement logic
> that tries first to validate the signature using the new public and upon
> failure, attempt to re-validate the signature using the previous public
> key. That way we guarantee that we don’t break existing sessions. WDYT
> about the logic? If you come to implement KMIP support in CXF, please
> beware of such customization need.
>
>   *Best Regards,*
> *Yossi Cohen*
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Mime
View raw message