The W3C XML Key Management Working Group has released a Proposed Recommendation for the XKMS specification version 2.0, including XML Key Management Specification (XKMS 2.0) and XML Key Management Specification (XKMS 2.0) Bindings. The Working Group invites review and public comment on the PR through June 03, 2005.
Operating within the W3C Technology and Society Domain, the XML Key Management (XKMS) Activity "specifies protocols for distributing and registering public keys, suitable for use with the standard for XML Signatures defined by W3C and the Internet Engineering Task Force (IETF) and its companion standard for XML encryption." The Working Group was chartered to build upon the March 2001 XML Key Management Specification (XKMS) submitted to W3C by VeriSign Inc, Microsoft Corporation, and webMethods Inc.
As presented in the May 2003 XML Key Management (XKMS 2.0) Requirements, XML-based public key management "should be designed to meet two general goals. The first is to support a simple client's ability to make use of sophisticated key management functionality. This simple client is not concerned with the details of the infrastructure required to support the public key management but may choose to work with X.509 certificates if able to manage the details . The second goal is to provide public key management support to XML applications that is consistent with the XML architectural approach. In particular, it is a goal of XML key management to support the public key management requirements of XML Encryption, XML Digital Signature, and to be consistent with the Security Assertion Markup Language (SAML)."
The XML Key Management Specification (XKMS 2.0) is published in two parts: the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS). "XKMS does not require any particular underlying public key infrastructure (such as X.509) but is designed to be compatible with such infrastructures. The X-KISS protocol allows an application to delegate to a service the processing of key information associated with an XML signature, XML encryption, or other usage of the XML Signature ds:KeyInfo element. The X-KRSS protocol supports the registration of a key pair by a key pair holder, with the intent that the key pair subsequently be usable in conjunction with X-KISS or a Public Key Infrastructure (PKI) such as X.509 or PKIX."
The XML Key Management Specification (XKMS 2.0) Bindings document defines different protocol bindings with security characteristics for the XML Key Management Specification. Security requirements "vary according to the application: in the case of a free or un-metered service the service may not require authentication of the request. A responder that requires an authenticated request must know in that circumstance that the request corresponds to the specified response." The document addresses Confidentiality, Request Authentication, Response Authentication, Persistent Authentication, Message Correlation (Response Replay and Request Substitution), Request Replay, and Denial of Service.
The XKMS 2.0 Bindings document also describes the Payload Security Protocol (security properties supported by the XKMS payload security features), Security Bindings (use of XKMS payload security features in the context of specific security protocols), and Security Considerations (security considerations relevant to the implementation and deployment of the specification).
Requirements published in the XML Key Management Working Group Charter specified that the XKMS PKI Interface "must be simple and build upon the <ds:KeyInfo> element specified by XML Signature, and that the XML Key Management Activity be coordinated with and use the deliverables of the XML Protocol, XML Schema, XML Signature and XML Encryption activities." Further, all required, recommended, and optional features of the specification must be implemented in at least two independent implementations before being advanced to Proposed Recommendation; these features, and their specification, must be able to interoperate in a secure fashion. Security and privacy concerns must be addressed by the specification."
The XKMS Version 2.0 Proposed Recommendation addresses issues raised following the publication of the Candidate Recommendation on 5-April-2004. A published XKMS Implementation Report summarizes the results of the Candidate Recommendation (CR) interoperability phase that started on 14-September-2004 and ended on 25-January-2005. "Thirty-six test scenarios were specified with a total of seven client implementations and four server implementations, implementing all or part of the tests. Two clients implemented all the tests. An additional client reported success on all tests except for the Optional ones as our reporting rules didn't allow for a developer to report results against his own server. Two servers supported all the tests except for the Optional ones. Only one server supported the Optional tests. Both servers were tested against at least two clients. These tests satisfy the interoperability entrance criteria to Proposed Recommendation (PR). During the CR period, the Working Group received and answered forty-three comments."
A note from W3C XKMS Activity Lead José Kahan indicates that if no serious issues are raised during the Proposed Recommendation review, the Working Group expects to publish the XML Key Management Specification Version 2.0 XKMS by end of June 2005. The XKMS Working Group may be re-chartered for the purpose of specification maintenance and for development of a WSDL XKMS Profile, to be published as a Working Group Note. The WSDL XKMS Profile would enable services to describe which features of XKMS they support.
XML Key Management Specification (XKMS 2.0). Version 2.0. W3C Proposed Recommendation. 2-May-2005. Edited by Phillip Hallam-Baker (VeriSign) and Shivaram H. Mysore. Version URL: http://www.w3.org/TR/2005/PR-xkms2-20050502/. Latest official published version URL: http://www.w3.org/TR/xkms2/. Previous official published version URL: http://www.w3.org/TR/2004/CR-xkms2-20040405/.
Principal contributors: Participants in the Working Group are (at the time of writing, and by alphabetical order): Guillermo Alvaro Rey (Trinity College Dublin), Stephen Farrell (Trinity College Dublin, Co-Chair), José Kahan (W3C, staff contact), Berin Lautenbach (Apache Software Foundation), Tommy Lindberg (Markup Security), Roland Lockhart (Entrust, Inc.), Vamsi Motukuru (Oracle Corp.), Shivaram Mysore (Co-Chair; Editor since 13 Apr 2004), Rich Salz (DataPower Technology, Inc.), Yunhao Zhang (SQLData Systems). Previous participants were (by alphabetical order): Daniel Ash (Identrus), Blair Dillaway (Microsoft), Donald Eastlake 3rd (Motorola), Yassir Elley (Sun Microsystems), Jeremy Epstein (webMethods), Slava Galperin (Sun Microsystems), Phillip Hallam-Baker (VeriSign Inc, Editor until 13 Apr 2004), Loren Hart (VeriSign Inc.), Mack Hicks (Bank of America), Merlin Hughes (Baltimore), Frederick Hirsch (Nokia Mobile Phones), Mike Just (Treasury Board of Canada Secretariat), Brian LaMacchia (Microsoft), Pradeep Lamsal, Joseph Reagle (W3C, previous staff contact), Dave Remy (GeoTrust, Inc.), Peter Rostin (RSA Security Inc.), Ed Simon (XMLsec Inc.)
XML Key Management Specification (XKMS 2.0) Bindings. Version 2.0. W3C Proposed Recommendation. 2-May-2005. Edited by Phillip Hallam-Baker (VeriSign) and Shivaram H. Mysore. Version URL: http://www.w3.org/TR/2005/PR-xkms2-bindings-20050502/. Latest official published version URL: http://www.w3.org/TR/xkms2-bindings/. Previous official published version URL: http://www.w3.org/TR/2004/CR-xkms2-bindings-20040405/.
XML Key Management (XKMS 2.0) Requirements. W3C Note. 05-May-2003. Edited by Frederick Hirsch (Nokia) and Mike Just (Treasury Board of Canada Secretariat - TBS). Version URL: http://www.w3.org/TR/2003/NOTE-xkms2-req-20030505. Latest version URL: http://www.w3.org/TR/xkms2-req. Previous version URL: http://www.w3.org/TR/2002/WD-xkms2-req-20020318.
- XKMS Version 2.0 Candidate Recommendation:
- XML Key Management Specification (XKMS 2.0)
- XML Key Management Specification (XKMS 2.0) Bindings
- W3C news item
- XKMS Version 2.0 Issues List
- XKMS Candidate Recommendation Implementation Report
- XKMS Public Code and Toolkits
- Feedback: Send review comments on the through June 3, 2005 to email@example.com; comments are invited from the W3C Membership and other interested parties.
- XKMS Patent Disclosures and Exclusions
- XKMS Working Group:
- W3C XML Key Management Working Group
- XML Key Management (XKMS) Activity Statement
- XML Key Management Working Group Charter
- XKMS Deliverables
- Contact: TC Chairs Stephen Farrell and Shivaram Mysore.
- Archive of W3C Public List 'www-xkms'. Subscribe by sending email to firstname.lastname@example.org with the word subscribe in the email 'Subject: ' line.
- XML Key Management Specification (XKMS). Submission to W3C from VeriSign Inc, Microsoft Corporation, and webMethods Inc. W3C Note. 30-March-2001.
- XKMS Contributor Policies
- XKMS Participants
- W3C Technology and Society Domain. "Technical building blocks that help address critical public policy issues on the Web."
- "XML Key Management Specification (XKMS)" - Local reference page.
- XML Trust Center resources:
- Related specs xmlenc and xmldsig:
- Earlier XKMS news:
- "W3C Releases Candidate Recommendations for XML Key Management Specification (XKMS 2.0)." News story 2004-04-06.
- "Last Call Working Drafts for W3C XML Key Management Specifications (XKMS)."
- "W3C XML Key Management Working Group Publishes XKMS 2.0 and X-BULK Working Drafts."
- W3C Announces Official XML Key Management Activity."
- W3C XML Key Management Services Workshop."
- XML and Security Standards (Security, Privacy, and Personalization):
- Application Security
- Digital Signatures
- XML and Encryption
- P3P Specification: Platform for Privacy Preferences
- Dialogue Moves Markup Language (DMML)
- XML Digital Signature (IETF/W3C)
- XML Advanced Electronic Signatures (XAdES)
- XML Key Management Specification (XKMS)
- XML Common Biometric Format (XCBF)
- Security Assertion Markup Language (SAML)
- Web Services Security Specification
- Liberty Alliance Specifications for Federated Network Identification and Authorization
- Security Services Markup Language (S2ML)
- Extensible Access Control Markup Language (XACML)
- ANSI/INCITS 359-2004 Role Based Access Control (RBAC) Security Standard
- Enterprise Privacy Authorization Language (EPAL)
- XML Access Control Language (XACL)
- AuthXML Standard for Web Security
- Service Provisioning Markup Language (SPML)
- Intrusion Detection Message Exchange Format
- "Incident Object Description and Exchange Format (IODEF)
- Digital Signatures for Internet Open Trading Protocol (IOTP)
- IETF Securely Available Credentials (SACRED) Working Group
- OASIS PKI Technical Committee
- OASIS PKI Member Section
- OASIS Extensible Resource Identifier (XRI) TC
- Extensible Name Service (XNS)
- XML Encoding of SPKI Certificates
- Digital Receipt Infrastructure Initiative
- Digest Values for DOM (DOMHASH)
- Signed Document Markup Language (SDML)
- Customer Profile Exchange (CPEX) Working Group