The W3C XML Key Management Working Group has published three new working drafts. The XML Key Management Specification (XKMS 2.0) WD "specifies protocols for distributing and registering public keys, suitable for use in conjunction with the proposed standard for XML Signatures developed by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) and an anticipated companion standard for XML encryption. The XML Key Management Specification (XKMS) comprises two parts: (1) the XML Key Information Service Specification (X-KISS) is a protocol to support the delegation by an application to a service of the processing of Key Information associated with an XML signature, XML encryption, or other public key; its functions include the location of required public keys and describing the binding of such keys to identification information; (2) the XML Key Registration Service Specification (X-KRSS) is a protocol to support the registration of a key pair by a key pair holder, with the intent that the key pair subsequently be usable in conjunction with the XML Key Information Service Specification or higher level trust assertion service such as XML Trust Assertion Service Specification (XTASS). These protocols do not require any particular underlying public key infrastructure (such as X.509) but are designed to be compatible with such infrastructures." The Last Call XML Key Management (2.0) Requirements Working Draft "lists the design principles, scope and requirements for XML Key Management specifications and trust server key management implementations. It includes requirements as they relate to the key management syntax, processing, security and coordination with other standards activities." The XML Key Management Specification Bulk Operation (X-BULK) WD is the first X-BULK draft from the Working Group. X-BULK "extends the XML Key Management Specification (XKMS) protocol to encompass the bulk registration operations necessary for interfacing with such systems as smart card management systems. X-BULK is defined in terms of structures expressed in the XML Schema Language XML-Schema and web services description language (WSDL)."
Bibliographic details:
XML Key Management Specification (XKMS 2.0). W3C Working Draft 18-March-2002. Edited by Phillip Hallam-Baker (VeriSign). Version URL: http://www.w3.org/TR/2002/WD-xkms2-20020318/. Latest version URL: http://www.w3.org/TR/xkms2/.
XML Key Management (2.0) Requirements. W3C Working Draft 18-March-2002. Edited by Frederick Hirsch; Mike Just (Entrust, Inc.). Version URL: http://www.w3.org/TR/2002/WD-xkms2-req-20020318, Latest version URL: http://www.w3.org/TR/xkms2-req.
XML Key Management Specification Bulk Operation (X-BULK). W3C Working Draft 18-March-2002. Edited by Merlin Hughes (Baltimore Technologies). Version URL: http://www.w3.org/TR/2002/WD-xkms2-xbulk-20020318/. Latest version URL: http://www.w3.org/TR/xkms2-xbulk/.
X-BULK Overview: "XKMS currently addresses one-by-one registration (X-KRSS) and key information and validation services (X-KISS). However, we feel that a standard must also address bulk issuance cases and are proposing that an X-BULK specification, built on the basis of X-KRSS be included in scope of the work... X-BULK defines a batch element that can contain registration requests, responses and status requests. The basic idea is that a single batch can contain a number of independently referencable requests or responses. Batches are produced both from the requestor and responder. A responder will process an entire batch and produce a single batch of responses after processing... The use cases where X-BULK is required include: (1) Smart card factories for enterprise, wireless and cable-modem applications; (2) Device factories in general [e.g., TCPA-like TPM modules]; (3) To handle functionality analogous to separated RAs and CAs from the X.509 world. Key differences between X-KRSS and X-BULK include: (1) X-BULK is required to correlate batches of requests and responses. (2) X-KRSS doesn't support some legacy key registration formats (e.g., PKCS#10), which are important for existing hardware modules. (3) Authentication and response profiling should be at the level of the batch, not the individual request. (4) Batch status is not the same as key status. (5) X-BULK addresses interfacing with card administration and deployment back-end servers (a.k.a. card management systems). X-BULK does however reuse element definitions from the current X-KRSS specification. Separating bulk from one-by-one registration has the benefit that the separately defined messages required are simpler than if a single message format handling both one-by-one and bulk cases were to be defined. It is also better not to burden a client for one-by-one operation with the additional complexity required in batch operation..." (from the Introduction)
From the XML Key Management (XKMS) Activity Statement: "Work on XKMS being managed as part of W3C's Technology and Society domain. The XML Signature and XML Encryption Activities focus on the processes of signature and encryption, not on how a cryptographic key, necessary to these processes, is actually obtained. Consequently, there is a requirement that simple XML based clients be able to securely obtain keys, including those from pre-existing Public Key Infrastructures (PKI). The role of this XKMS Activity is to satisfy these requirements in a manner that is consistent with the XML and XML Signature architectural approach."
Principal references:
- XML Key Management Specification (XKMS 2.0)
- XML Key Management (2.0) Requirements
- XML Key Management Specification Bulk Operation (X-BULK)
- XML Key Management Working Group
- XML Key Management (XKMS) Activity Statement
- Index of 2001/XKMS/Drafts
- Mailing list archives for 'www-xkms'
- "XML Key Management Specification (XKMS)" - Main reference page.