Position Paper from Omtool, Ltd. regarding participation in the W3C XKMS
Working Group meeting in Redwood City, CA on July 19 th , 2001
Author: Thaddeus Bouchard
Title: Vice President Products
Company: Omtool, Ltd.
Date: July 5, 2001

Omtool’s principal interests in participating in the W3C’s XKMS working group
discussions are:

1) To gather information from the various participants about the overall goal of
XKMS, the problems that it solves in PKI use and PKI interoperability;
2) To provide input to the group about the specific requirements of our software
products, already designed and implemented to use XKMS for key management
functionality.

We have existing bi-lateral business relationships and technical interoperability projects
with a number of the companies represented in the XKMS community. Some of these
relationships already include XKMS-based interoperability projects, others do not yet but
have the potential over time to be extended to include this capability.
As a result of our practical technical experiences in using XKMS, we have developed
specific opinions about the value that XKMS offers to an application-level software
solution such as Genidocs that has a need to access the PKI infrastructure and avoid the
responsibility to “own” keys and key management functions. We are interested in
hearing the experiences of other participants who are developing XKMS-enabled
applications and services. We have a strong desire to see a mature and interoperable
XKMS standard emerge so that our software applications will not have to be developed
with specific hooks into the proprietary APIs required today to access CA’s and RA’s of
specific vendors.

Our current use of XKMS in the Genidocs product is for locate and validate functionality
on digital certificates for use in S/MIME messaging to given e-mail recipients. Our
server-based application will attempt to locate and thereafter periodically validate the
S/MIME certificates of e-mail recipients for whom our server has a business document to
deliver. An important feature of Genidocs is providing the users of a company’s e-mail
system to send documents that are S/MIME encrypted without requiring the individual
sender within the company to have a digital certificate issued to him and registered in his
e-mail client. A certain number of server-based add-ons to enterprise messaging provide
secure messaging capabilities by using S/MIME in this way. However, these products
usually require the administrator of the system to manage the keys of the potential
S/MIME recipients. Genidocs uses XKMS to extend our S/MIME feature by eliminating
operational, day-to-day key management responsibilities. The Genidocs server
automatically “becomes aware” of e-mail recipients that are S/MIME-ready, gathers their
public keys for use in S/MIME encryption and validates their certificates before
packaging and sending an S/MIME message to that recipient. Both the initial key
exchange and the subsequent key validation are completely automated by our XKMS-aware
server-based solution.

We envision product extensions to our application over time that will use the XKMS
“register” capability to create and distribute Digital Certificates to new users, integrating
this initial key issuing process into our overall solution. We also have plans to qualify
our XKMS implementation against the XKMS features of the major vendors for CA and
RA products and services.