cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yossi Cohen <yossi2co...@gmail.com>
Subject KMIP Support in CXF (ReST & SOAP)
Date Tue, 02 Jun 2015 08:08:57 GMT
Hi,



We are currently evaluating several technologies for public/private key
distribution and rotation and I have two questions I was hoping CXF Dev.
could address:



1.       I noticed CXF added support in XKMS for public keys (e.g., for
SAML token validation). It appears though that the adoption of KMIP
<http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol> in
industry is more extensive than the adoption of XKMS
<http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add
support for KMIP? Are there any plans to add this capability and if yes in
which version?

2.       For key rotation we need the previous public key to be left active
side-by-side with the new public key until all signatures signed using the
previous private key are no longer in use (e.g., after session expiration).
To support that, we need to be able to customize CXF and implement logic
that tries first to validate the signature using the new public and upon
failure, attempt to re-validate the signature using the previous public
key. That way we guarantee that we don’t break existing sessions. WDYT
about the logic? If you come to implement KMIP support in CXF, please
beware of such customization need.

 *Best Regards,*
*Yossi Cohen*

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message