Mailing-List: contact dev-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Message-ID: <5570539D.4030009@gmail.com>
Date: Thu, 04 Jun 2015 14:33:17 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: dev@cxf.apache.org
Subject: Re: KMIP Support in CXF (ReST & SOAP)
References: 
 <CAAsFO7ZpV7t55i8r=RBUuY-_uJuxxrXHQ5_BA7rhDeGWG1o19w@mail.gmail.com>
 <bU0x1q02503wcJL01U0yhR> <bU9V1q00m03wcJL01U9W7D>
 <006201d09d4f$ee1b7b20$ca527160$@cox.net>
In-Reply-To: <006201d09d4f$ee1b7b20$ca527160$@cox.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Just a quick note regarding a possible alternative approach to 
supporting a key rotation for JAX-RS (REST) services.

CXF now supports JWS/JWE/JWK for signing/encrypting the regular HTTP 
payloads, a JWS and/or JWE header can use a 'kid' property:

https://tools.ietf.org/html/rfc7515#section-4.1.4

to signal a key change.
I'll have a look at the optional support for this property inside the 
consuming CXF JWS/JWE filters to make it done automatically with a 
possible fallback to the current/'old' key

Cheers, Sergey


On 02/06/15 17:19, Dennis wrote:
> Hello,
>
> In supplement to previous note:
>
> https://wiki.oasis-open.org/kmip/KnownKMIPImplementations
>
> Dennis
>
> -----Original Message-----
> From: Dennis [mailto:dennisk@cox.net]
> Sent: Tuesday, June 02, 2015 12:09 PM
> To: dev@cxf.apache.org
> Subject: RE: KMIP Support in CXF (ReST & SOAP)
>
> Hello,
>
> If you look at the RSA Conference Demos for the last 5 years where KMIP was used to address/test a stack of HSMs, the Yes, it is more widespread that XKMS.
>
> Dennis
>
> -----Original Message-----
> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
> Sent: Tuesday, June 02, 2015 11:59 AM
> To: dev@cxf.apache.org
> Subject: Re: KMIP Support in CXF (ReST & SOAP)
>
> Hi
>
> Andrei Shakirin who worked on getting the XKMS code contribution added to CXF is off till next week, he may have an opinion; IMHO it is good to have multiple relevant options supported but I'm not sure how easy it is to do KMIP.
>
> Cheers, Sergey
>
> On 02/06/15 09:08, Yossi Cohen wrote:
>> Hi,
>>
>>
>>
>> We are currently evaluating several technologies for public/private
>> key distribution and rotation and I have two questions I was hoping CXF Dev.
>> could address:
>>
>>
>>
>> 1.       I noticed CXF added support in XKMS for public keys (e.g., for
>> SAML token validation). It appears though that the adoption of KMIP
>> <http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol
>>> in industry is more extensive than the adoption of XKMS
>> <http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add
>> support for KMIP? Are there any plans to add this capability and if
>> yes in which version?
>>
>> 2.       For key rotation we need the previous public key to be left active
>> side-by-side with the new public key until all signatures signed using
>> the previous private key are no longer in use (e.g., after session expiration).
>> To support that, we need to be able to customize CXF and implement
>> logic that tries first to validate the signature using the new public
>> and upon failure, attempt to re-validate the signature using the
>> previous public key. That way we guarantee that we don’t break
>> existing sessions. WDYT about the logic? If you come to implement KMIP
>> support in CXF, please beware of such customization need.
>>
>>    *Best Regards,*
>> *Yossi Cohen*
>>
>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>