Final Results of Questionnaire XKMS CR TEST-SUITE REPORT

I1: Company / organization

Details

I2: Representative's name (who is answering this form)

Details

I3: Implementation name (please precise a URL if available)

Details

I4: Implementation version (which version was used for this testing)

Details

I5: Spec Version/Comment

Details

XKISS-T1: Locate

A client wishes to obtain an encryption key bound to bob@example.com, so it can be able to send an encrypted mail to Bob. The client secure email format is S/MIME. The processing mode is synchronous. The resulting set of messages will consist of a Locate Request to the server and the Locate Result returned.

Test suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T2: Validate

A client wishes to check whether a certificate supplied by a sender (Alice) in a message is valid or not, so he sends the certificate chain to the XKMS service. The processing mode is synchronous. The certificate is valid and it has not been revoked. The resulting set of messages will consist of a Validate Request to the server and the Validate Result returned reporting that the key binding has successfully been checked.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T3: Locate - not found

In a similar scenario to XKISS-T1, a client wishes to obtain a key bound to bob2@example.com, but the server cannot locate a key for that user. The resulting set of messages will consist of a Locate Request to the server and the Locate Result returned.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T4: Validate an expired cert

In a similar scenario to XKISS-T2, a client wishes to check whether a certificate supplied by a sender (Eric) in a message is valid or not, so he sends the certificate chain to the XKMS service. The processing mode is synchronous. The certificate is not valid because it has expired. The resulting set of messages will consist of a Validate Request and a Validate Result.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T5: Validate a revoked cert

In a similar scenario to XKISS-T2, a client wishes to check whether a certificate supplied by a sender (Ralph) in a message is valid or not, so he sends the certificate chain to the XKMS service. The processing mode is synchronous. The certificate is not valid because it has been revoked. The resulting set of messages will consist of a Validate Request and a Validate Result.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T6: Two Phase

A client wishes to obtain an encryption key bound to bob@example.com, so it can be able to send an encrypted mail to Bob. The client secure email format is S/MIME. The processing mode is Two Phase. The resulting set of messages will consist of two Locate Requests to the server and two Locate Results returned.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T7: Asynchronous

A client wishes to obtain an encryption key bound to bob@example.com. The client secure email format is S/MIME. The processing mode is asynchronous. The resulting set of messages will consist of two Locate Requests to the server and two Locate Responses returned. The server will notify by email when is it ready to receive the Pending Request. The resulting set of messages will consist of at least six messages: An initial Locate Request and Locate Result; One or more Status requests and responses, with the last Status Result stating the Success; a Pending Request and a final Locate Result.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T8: Two Phase + Asynchronous

A client wishes to obtain an encryption key bound to bob@example.com. The client secure email format is S/MIME. The processing mode is Two Phase Protocol with Asynchronous Processing. The resulting set of messages will consist of at least eight messages: two Locate Requests to the server and two Locate Responses returned, corresponding to the Two Phase protocol, then at least a Status Request-Response pair and finally a Pending Request and the final Locate Result.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T9: Compound

A client wishes to make a locate and two validate requests simultaneously. The processing mode is synchronous. The locate and validate requests that will be made correspond to the tests XKISS-T1, XKISS-T2 and XKISS-T4. The resulting set of messages will consist of an outer Compound Request with three inner requests and an outer Compound Result with three inner results.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T10: Two Phase Compound

A client wishes to make a locate and two validate requests simultaneously. The processing mode is Two Phase Protocol. The locate and validate requests that will be made correspond to the tests XKISS-T1, XKISS-T2 and XKISS-T4. The resulting set of messages will consist of two outer Compound Request with three inner requests and two Compound Results. the first without inner results and the second containing three.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T11: Asynchronous Compound

A client wishes to make a locate and two validate requests simultaneously. The processing mode is asynchronous. The locate and validate requests that will be made correspond to the tests XKISS-T1, XKISS-T2 and XKISS-T4. The client will send a Status Request after receiving the notification of the Locate message but when the validate messages are still pending. The resulting set of messages will consist of at least six messages: an initial outer Compound Request with three inner requests and the initial Compound Result; at least a Status Request-Result pair; a Pending Request and the final Compound Result with three inner results.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T12: Compound with inner asynchronous requests

A client wishes to make a locate and two validate requests simultaneously. The processing mode for the compound message is synchronous. The locate and validate requests that will be made correspond to the tests XKISS-T1, XKISS-T2 and XKISS-T4. The inner Locate Request will be made synchronously and the Validate requests asynchronously. The resulting set of messages will consist of at least ten messages: an initial outer Compound Request with three inner requests and the initial Compound Result with three inner results; at least two Status request-response pairs and two Pending requests and two Validate results.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T13: Soap 1.1

The same scenario as XKISS-T1 but with the messages wrapped in SOAP 1.1 envelopes.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T14: Soap 1.2

The same scenario as XKISS-T1 but with the messages wrapped in SOAP 1.2 envelopes.

Test-suite reference

Summary

(The results on your answers are bolded)

Averages:

Details

XKISS-T15: Opaque Client Data

Similar to XKISS-T2 but with OpaqueClientData) A client wishes to check whether a certificate supplied by a sender (Alice) in a message is valid or not, so he sends the certificate chain to the XKMS service. The client adds two instances of randomly generated OpaqueData to the request. The processing mode is synchronous. The certificate is valid and it has not been revoked. The resulting set of messages will consist of a Validate Request to the server and the Validate Result returned reporting that the key binding has successfully been checked. The OpaqueClientData in the result is identical to the one included in the request.

Test-suite reference

Summary

(The results on your answers are bolded)

Averages:

Details

XKISS-T16: Request Signature Value

(Similar to XKISS-T2 but the request is signed and the client requests return of request signature value) A client wishes to check whether a certificate supplied by a sender (Alice) in a message is valid or not, so he sends the certificate chain to the XKMS service. The client signs the request with Bob's key and includes the corresponding verification key in the request. The client indicates through the ResponseMechanism element that he is prepared to receive the request signature value bytes in the result. The processing mode is synchronous. The certificate is valid and it has not been revoked. The resulting set of messages will consist of a Validate Request to the server and the Validate Result returned reporting that the key binding has successfully been checked. In addition, the request signature bytes match those returned in the RequestSignatureValue element of the result.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKISS-T17: Unsuccessful Request Signature Value

(Similar to XKRSS-T16 but incorrect verification key is supplied) A client wishes to check whether a certificate supplied by a sender (Alice) in a message is valid or not, so he sends the certificate chain to the XKMS service. The client signs the request with a key not known by the service. The client indicates through the ResponseMechanism element that he is prepared to receive the request signature value bytes in the result. The processing mode is synchronous. The result indicates a non successful outcome with a minor result code of NoAuthentication and the RequestSignatureValue is not present.

Test-suite reference

Summary

(The results on your answers are bolded)

Averages:

Details

XKISS-T18: Response Limit

(Similar to XKISS-T1 but with a response limit indication) Mandy is known to have 10 encryption keypairs for use with S/MIME style e-mail all of which are bound to mandy@example.com. A client wishes to obtain no more than 5 of these keys. The processing mode is synchronous. The resulting set of messages will consist of a Locate Request to the server and the Locate Result returned. The minor result code has the TooManyResponses to indicate that more bindings than the requested 5 were found. If the major result indicates Success then the result contains no more than 5 key bindings. If the major result code indicates Receiver then the result does not contain any key bindings.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T1: Register Client Generated Key

A client wishes to register an RSA key pair bound to his email address. He generates an RSA key pair and sends a registration request to the XKMS service provider using a shared secret: "secret", for key binding authentication. The processing mode is synchronous, and the client provides an X.509 distinguished name in a UseKeyWith for "rfc2459". The response message indicates a successful key binding and there is an X.509 certificate in the key binding.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T2: Register Service Generated Key

A client wishes to register a key generated by the XKMS server. He sends a registration request to the XKMS service provider using a shared secret: "secret", for key binding authentication. The processing mode is synchronous, and the key is to be used with an email address. The XKMS server returns an RSA key pair with encrypted private key. The resulting set of messages will consist of two messages: a Register request and a Register response.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T3: Reissue

A client wishes to get a new X.509 certificate. He sends a Reissue request to the XKMS service. The key is specified in the payload either with a key value or with the old cert. The shared secret is "secret", and the processing mode is synchronous. The XKMS server returns a new certificate with new validity interval in the response message, and the status of the key binding is valid. The resulting set of messages will consist of four messages: an initial Register request/response pair and a Reissue request/response pair.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T4: Recover

A client wishes to recover his private key which he has forgotten. He specifies the authorization code "secret" for the key recovery operation, and an indeterminate key binding to his public key. The processing mode is synchronous. The XKMS server returns the encrypted private key. The resulting set of messages will consist of four messages: an initial Register request/response pair and a Recover request/response pair.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T5: Revoke

A client wishes to revoke a compromised key binding. The key was registered with a revocation pass phrase. The processing mode is synchronous. The revocation result is successful and the result key binding is invalid. The resulting set of messages will consist of four messages: an initial Register request/response pair and a Revoke request/response pair.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T6: Revoke with shared secret

A client wishes to revoke a compromised key binding. He uses the authorization code "secret" for the key revocation operation. The processing mode is synchronous. The revocation result is successful and the result key binding is invalid. The resulting set of messages will consist of four messages: an initial Register request/response pair and a Revoke request/response pair.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T7: Two Phase

(Similar to XKRSS-T2 but Two Phase)

A client wishes to register a key generated by the XKMS server. He sends a registration request to the XKMS service provider using a shared secret: "secret", for key binding authentication. The processing mode is two phase, and the key is to be used with an email address. The XKMS server returns an RSA key pair with encrypted private key. The resulting set of messages will consist of two Register Requests to the server and two Register Results returned.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T8: Asynchronous

(Similar to XKRSS-T2 but Asynchronous

A client wishes to register a key generated by the XKMS server. He sends a registration request to the XKMS service provider using a shared secret: "secret", for key binding authentication. The processing mode is asynchronous, and the key is to be used with an email address. The XKMS server returns an RSA key pair with encrypted private key. The client will also send at least a Status Request. The resulting set of messages will consist of at least six messages: An initial Register request/response pair, at least a Status request/response pair, a Pending request and a final Register result.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T9: Asynchronous + Two Phase

(Similar to XKRSS-T2 but Asynchronous + Two Phase

A client wishes to register a key generated by the XKMS server. He sends a registration request to the XKMS service provider using a shared secret: "secret", for key binding authentication. The processing mode is asynchronous, and the key is to be used with an email address. The XKMS server returns an RSA key pair with encrypted private key. The client will also send at least a Status Request. The resulting set of messages will consist of at least eight messages: two Register request/response pairs, corresponding to the Two Phase protocol, then at least a Status request/response pair and then a Pending request and the final Register result.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T10: Compound

A client wishes to make two registration requests simultaneously. The processing mode is synchronous. The registration requests that will be made correspond to the tests XKRSS-T1 and XKRSS-T2. The resulting set of messages will consist of an outer Compound Request with two inner requests and an outer Compound Result with two inner results.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T11: Two Phase Compound

A client wishes to make two registration requests simultaneously. The processing mode is two phase. The registration requests that will be made correspond to the tests XKRSS-T1 and XKRSS-T2. The resulting set of messages will consist of two outer Compound Request with two inner requests and two Compound Results, the first without inner results and the second containing two.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T12: Asynchronous Compound

A client wishes to make two registration requests simultaneously. The processing mode is asynchronous. The registration requests that will be made correspond to the tests XKRSS-T1 and XKRSS-T2. The client will send first a Status Request. The resulting set of messages will consist of at least six messages: an initial outer Compound Request with two inner requests and the initial Compound Result; at least a Status Request and a Status Result; a Pending Request and the final Compound Result with two inner results.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T13: Compound with inner asynchronous requests

A client wishes to make two registration requests simultaneously. The processing mode for the compound message is synchronous. The registration requests that will be made correspond to the tests XKRSS-T1 and XKRSS-T2. The inner client-generated RegisterRequest will be made synchronously and the inner server-generated client request asynchronously. The client will send first at least a Status Request for the inner asynchronous operation. The resulting set of messages will consist of at least six messages: an initial outer Compound Request with two inner requests and the initial Compound Result with two inner results; at least a Status request-response pair and a Pending request and a Register result.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

XKRSS-T14: Unsuccessful authorization

(Similar to XKRSS-T2 but with a wrong shared secret)

A client wishes to register a key generated by the XKMS server. He sends a registration request to the XKMS service provider using a wrong shared secret: "notsecret", for key binding authentication. The processing mode is synchronous, and the key is to be used with an email address. The resulting set of messages will consist of two messages: a Register request and a Resister response, with a minor result code of NoAuthentication.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

Compound-T1: XKISS and XKRSS

A client wishes to make a validate and a registration requests simultaneously. The processing mode is synchronous. The validate request that will be made correspond to the test XKISS-T2 and the registration one to the test XKRSS-T2. The resulting set of messages will consist of an outer Compound Request with two inner requests and an outer Compound Result with two inner results.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

Optional-T1: Authentication with Private Key

(Similar to XKRSS-T2 but authenticating with private key instead of shared secret)

A client wishes to register a key generated by the XKMS server using a private key for key binding authentication. First he registers a key as in XKRSS-T2 and then he sends another registration request to the XKMS service provider using the private key received in the previous registration operation for key binding authentication. The processing mode is synchronous, and the key is to be used with an email address. The XKMS server returns an RSA key pair with encrypted private key. The resulting set of messages will consist of four messages: two Register request/response pairs.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

Optional-T2: Authentication with NotBoundAuthentication

(Similar to XKRSS-T2 but authenticating with not bound authentication)

A client wishes to register a key generated by the XKMS server. He sends a registration request to the XKMS service provider using a Not Bound Authentication (Protocol: "http://www.example.com/foo/protocol", Value: encoded "secret"), for key binding authentication. The processing mode is synchronous, and the key is to be used with an email address. The XKMS server returns an RSA key pair with encrypted private key. The resulting set of messages will consist of two messages: a Register request and a Resister response.

Test-suite reference

Summary

(The results on your answers are bolded)

Details

Optional-T3: Validate with RetrievalMethod

(Similar to XKRSS-T2 but with a RetrievalMethod)

A client wishes to validate a certificate located at a network location http://62.77.172.83:4080/certs/rsa-alice-at-example-cert.der as indicated by a certificate holder (Alice). He sends a request specifying a RetrievalMethod to the XKMS service. The certificate encoding type is http://www.w3.org/2000/09/xmldsig#rawX509Certificate indicating a DER encoded certificate object. The processing mode is synchronous. The certificate is valid and it has not been revoked. The resulting set of messages will consist of a Validate Request to the server and the Validate Result returned reporting that the key binding has successfully been checked.

Test-suite reference

Summary

(The results on your answers are bolded)

Details