Contents

• Summary
• Bibliographic Information
• Principal References

The W3C XML Key Management Working Group has released a Proposed Recommendation for the XKMS specification version 2.0, including XML Key Management Specification (XKMS 2.0) and XML Key Management Specification (XKMS 2.0) Bindings. The Working Group invites review and public comment on the PR through June 03, 2005.

Operating within the W3C Technology and Society Domain, the XML Key Management (XKMS) Activity "specifies protocols for distributing and registering public keys, suitable for use with the standard for XML Signatures defined by W3C and the Internet Engineering Task Force (IETF) and its companion standard for XML encryption." The Working Group was chartered to build upon the March 2001 XML Key Management Specification (XKMS) submitted to W3C by VeriSign Inc, Microsoft Corporation, and webMethods Inc.

As presented in the May 2003 XML Key Management (XKMS 2.0) Requirements, XML-based public key management "should be designed to meet two general goals. The first is to support a simple client's ability to make use of sophisticated key management functionality. This simple client is not concerned with the details of the infrastructure required to support the public key management but may choose to work with X.509 certificates if able to manage the details . The second goal is to provide public key management support to XML applications that is consistent with the XML architectural approach. In particular, it is a goal of XML key management to support the public key management requirements of XML Encryption, XML Digital Signature, and to be consistent with the Security Assertion Markup Language (SAML)."

The XML Key Management Specification (XKMS 2.0) is published in two parts: the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS). "XKMS does not require any particular underlying public key infrastructure (such as X.509) but is designed to be compatible with such infrastructures. The X-KISS protocol allows an application to delegate to a service the processing of key information associated with an XML signature, XML encryption, or other usage of the XML Signature ds:KeyInfo element. The X-KRSS protocol supports the registration of a key pair by a key pair holder, with the intent that the key pair subsequently be usable in conjunction with X-KISS or a Public Key Infrastructure (PKI) such as X.509 or PKIX."

The XML Key Management Specification (XKMS 2.0) Bindings document defines different protocol bindings with security characteristics for the XML Key Management Specification. Security requirements "vary according to the application: in the case of a free or un-metered service the service may not require authentication of the request. A responder that requires an authenticated request must know in that circumstance that the request corresponds to the specified response." The document addresses Confidentiality, Request Authentication, Response Authentication, Persistent Authentication, Message Correlation (Response Replay and Request Substitution), Request Replay, and Denial of Service.

The XKMS 2.0 Bindings document also describes the Payload Security Protocol (security properties supported by the XKMS payload security features), Security Bindings (use of XKMS payload security features in the context of specific security protocols), and Security Considerations (security considerations relevant to the implementation and deployment of the specification).

Requirements published in the XML Key Management Working Group Charter specified that the XKMS PKI Interface "must be simple and build upon the <ds:KeyInfo> element specified by XML Signature, and that the XML Key Management Activity be coordinated with and use the deliverables of the XML Protocol, XML Schema, XML Signature and XML Encryption activities." Further, all required, recommended, and optional features of the specification must be implemented in at least two independent implementations before being advanced to Proposed Recommendation; these features, and their specification, must be able to interoperate in a secure fashion. Security and privacy concerns must be addressed by the specification."

The XKMS Version 2.0 Proposed Recommendation addresses issues raised following the publication of the Candidate Recommendation on 5-April-2004. A published XKMS Implementation Report summarizes the results of the Candidate Recommendation (CR) interoperability phase that started on 14-September-2004 and ended on 25-January-2005. "Thirty-six test scenarios were specified with a total of seven client implementations and four server implementations, implementing all or part of the tests. Two clients implemented all the tests. An additional client reported success on all tests except for the Optional ones as our reporting rules didn't allow for a developer to report results against his own server. Two servers supported all the tests except for the Optional ones. Only one server supported the Optional tests. Both servers were tested against at least two clients. These tests satisfy the interoperability entrance criteria to Proposed Recommendation (PR). During the CR period, the Working Group received and answered forty-three comments."

A note from W3C XKMS Activity Lead José Kahan indicates that if no serious issues are raised during the Proposed Recommendation review, the Working Group expects to publish the XML Key Management Specification Version 2.0 XKMS by end of June 2005. The XKMS Working Group may be re-chartered for the purpose of specification maintenance and for development of a WSDL XKMS Profile, to be published as a Working Group Note. The WSDL XKMS Profile would enable services to describe which features of XKMS they support.