cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Shakirin <ashaki...@talend.com>
Subject RE: KMIP Support in CXF (ReST & SOAP)
Date Thu, 11 Jun 2015 10:52:43 GMT
Hi Yossi,

Sorry for huge delay with a response.

Indeed, KMIP is currently widely adopted in industry as XKMS. Supporting XKMS was the pragmatic
solution for CXF, because it provide enough functionality and it is quite easy and quick to
implement. As Sergei said, will be nice to provide additional option to manage the keys for
the users, however there are no any concrete plans at the moment. Are you interested to make
some KMIP relevant contribution in CXF?

Regarding the second question:
Strongly said, from pure security point of view, validation the signatures with expired certificates
have to be failed.
The sense of signature verification and the trust chain is that all of the certificates are
correct.
So the best practice here will be to renew certificates in advance, before the signing, if
certificate rest validity period is smaller as session live time.
However, I have seen the systems what implement the way you described because of pragmatic
reasons.

Regards,
Andrei.

> -----Original Message-----
> From: Yossi Cohen [mailto:yossi2cohen@gmail.com]
> Sent: Dienstag, 2. Juni 2015 10:09
> To: dev@cxf.apache.org
> Subject: KMIP Support in CXF (ReST & SOAP)
> 
> Hi,
> 
> 
> 
> We are currently evaluating several technologies for public/private key
> distribution and rotation and I have two questions I was hoping CXF Dev.
> could address:
> 
> 
> 
> 1.       I noticed CXF added support in XKMS for public keys (e.g., for
> SAML token validation). It appears though that the adoption of KMIP
> <http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol> in
> industry is more extensive than the adoption of XKMS
> <http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add
> support for KMIP? Are there any plans to add this capability and if yes in which
> version?
> 
> 2.       For key rotation we need the previous public key to be left active
> side-by-side with the new public key until all signatures signed using the
> previous private key are no longer in use (e.g., after session expiration).
> To support that, we need to be able to customize CXF and implement logic that
> tries first to validate the signature using the new public and upon failure,
> attempt to re-validate the signature using the previous public key. That way we
> guarantee that we don’t break existing sessions. WDYT about the logic? If you
> come to implement KMIP support in CXF, please beware of such customization
> need.
> 
>  *Best Regards,*
> *Yossi Cohen*
Mime
View raw message