Trust, Access Control, and Rights for Web Services, Part 2 - X-KRSS
(Page 3 of 9 )

From a Web services point of view, Locate and Validate will be the most common form of XKMS service requested. Depending on the nature of the Web service provided and the security policy in place, X-KRSS messages such as Register, Recover, Revoke, and Reissue may be processed only under a much more stringent environment.

In the registration phase, as shown in Figure 9.8, an XML application key pair holder registers its public key with a trusted infrastructure via a registration server. The public key is sent to the registration server using a digitally signed request specified by KRSS using the <Register> tag. The registration server responds with an XML formatted confirmation response using the <RegisterResponse> tag, which indicates status of the registration (accepted, rejected, or pending) and a confirmation of name and attribute information registered with the public key. Except in the case of rejection, a key pair identifier is returned in the <RegisterResponse> tag for subsequent referencing purposes. The registration is typically preceded by generation of the key pair in the key pair holder system.

Figure 9.8  X-KRSS key registration.

A sample X-KRSS <Request> is shown in Listing 9.9.

Listing 9.9 X-KRSS Request to XKMS Registration Service for Key Registration

<?xml version="1.0"?>
 <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
 xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
 xmlns:xsd="http://www.w3.org/1999/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <soap:Body>
   <Register xmlns="http://www.xkms.org/schema/xkms-2001-01-20">
    <Prototype>
     <Status>Valid</Status>
     <KeyID>mailto:Alice@cryptographer.test</KeyID>
      <ds:KeyInfo>
       <ds:KeyName>mailto:Alice@cryptographer.test</ds:KeyName>
      </ds:KeyInfo>
     <ValidityInterval>
      <NotBefore>2000-09-20T12:00:00</NotBefore>
      <NotAfter>2001-09-20T12:00:00</NotAfter>
     </ValidityInterval>
     <PassPhrase>qfarJIsfcVKLo</PassPhrase>
    </Prototype>
    <AuthInfo>
     <AuthUserInfo>
      <ProofOfPossession>
       <Signature>2PUN8HQlnhf9YI</Signature>
      </ProofOfPossession>
      <AuthKeyBinding>
       <Signature>EfdxSXAidruAszN</Signature>
      </AuthKeyBinding>
     </AuthUserInfo>
    </AuthInfo>
    <Respond>
     <string>KeyName</string>
     <string>KeyValue</string>
    </Respond>
   </Register>
  </soap:Body>
 </soap:Envelope>

The X-KRSS <RegisterResult> response to this request is shown in Listing 9.10.

Listing 9.10 X-KRSS Response from the XKMS Registration Service

<?xml version="1.0"?>
 <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
 xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
 xmlns:xsd="http://www.w3.org/1999/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <soap:Body>
   <RegisterResult xmlns="http://www.xkms.org/schema/xkms-2001-01-20">
    <Result>Success</Result>
    <Answer soapenc:arrayType="KeyBinding[1]">
     <KeyBinding>
      <Status>Valid</Status>
      <KeyID>mailto:Alice@cryptographer.test</KeyID>
       <ds:KeyInfo>
        <ds:KeyValue>
         <ds:RSAKeyValue>
<ds:Modulus>998/T2PUN8HQlnhf9YIKdMHHGM7HkJwA56UD0a1oYq7EfdxSXAidruAszNqBoOqfarJ
IsfcVKLob1hGnQ/l6xw==</ds:Modulus>
          <ds:Exponent>AQAB</ds:Exponent>
         </ds:RSAKeyValue>
        </ds:KeyValue>
        <ds:KeyName>mailto:Alice@cryptographer.test</ds:KeyName>
       </ds:KeyInfo>

      <ValidityInterval>
       <NotBefore>2000-09-20T12:00:00</NotBefore>
       <NotAfter>2001-09-20T12:00:00</NotAfter>
      </ValidityInterval>
     </KeyBinding>
    </Answer>
    <Private/>
   </RegisterResult>
  </soap:Body>
 </soap:Envelope>

Revocation is handled via a similar protocol. The use of desktop (that is, file system) private key storage—as well as more broad XML client encryption applications—mandates some form of key recovery provision. Key recovery provides a way to recover a lost private key so that corporate-owned data encrypted with the lost private key is not lost forever. For historical reasons, key recovery is not supported by standardized protocols. In X-KRSS, such support is built in.

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today. Buy this book now.

Next: eXtensible Access Control Markup Language (XACML) Specification >>
 

More Security Articles
More By Sams Publishing

Comments On: Trust, Access Control, and Rights for Web Services, Part 2

>>> Be the FIRST to comment on this article!