cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: KMIP Support in CXF (ReST & SOAP)
Date Thu, 04 Jun 2015 13:33:17 GMT
Just a quick note regarding a possible alternative approach to 
supporting a key rotation for JAX-RS (REST) services.

CXF now supports JWS/JWE/JWK for signing/encrypting the regular HTTP 
payloads, a JWS and/or JWE header can use a 'kid' property:

https://tools.ietf.org/html/rfc7515#section-4.1.4

to signal a key change.
I'll have a look at the optional support for this property inside the 
consuming CXF JWS/JWE filters to make it done automatically with a 
possible fallback to the current/'old' key

Cheers, Sergey


On 02/06/15 17:19, Dennis wrote:
> Hello,
>
> In supplement to previous note:
>
> https://wiki.oasis-open.org/kmip/KnownKMIPImplementations
>
> Dennis
>
> -----Original Message-----
> From: Dennis [mailto:dennisk@cox.net]
> Sent: Tuesday, June 02, 2015 12:09 PM
> To: dev@cxf.apache.org
> Subject: RE: KMIP Support in CXF (ReST & SOAP)
>
> Hello,
>
> If you look at the RSA Conference Demos for the last 5 years where KMIP was used to address/test
a stack of HSMs, the Yes, it is more widespread that XKMS.
>
> Dennis
>
> -----Original Message-----
> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
> Sent: Tuesday, June 02, 2015 11:59 AM
> To: dev@cxf.apache.org
> Subject: Re: KMIP Support in CXF (ReST & SOAP)
>
> Hi
>
> Andrei Shakirin who worked on getting the XKMS code contribution added to CXF is off
till next week, he may have an opinion; IMHO it is good to have multiple relevant options
supported but I'm not sure how easy it is to do KMIP.
>
> Cheers, Sergey
>
> On 02/06/15 09:08, Yossi Cohen wrote:
>> Hi,
>>
>>
>>
>> We are currently evaluating several technologies for public/private
>> key distribution and rotation and I have two questions I was hoping CXF Dev.
>> could address:
>>
>>
>>
>> 1.       I noticed CXF added support in XKMS for public keys (e.g., for
>> SAML token validation). It appears though that the adoption of KMIP
>> <http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol
>>> in industry is more extensive than the adoption of XKMS
>> <http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add
>> support for KMIP? Are there any plans to add this capability and if
>> yes in which version?
>>
>> 2.       For key rotation we need the previous public key to be left active
>> side-by-side with the new public key until all signatures signed using
>> the previous private key are no longer in use (e.g., after session expiration).
>> To support that, we need to be able to customize CXF and implement
>> logic that tries first to validate the signature using the new public
>> and upon failure, attempt to re-validate the signature using the
>> previous public key. That way we guarantee that we don’t break
>> existing sessions. WDYT about the logic? If you come to implement KMIP
>> support in CXF, please beware of such customization need.
>>
>>    *Best Regards,*
>> *Yossi Cohen*
>>
>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>


Mime
View raw message