José Kahan (W3C/ ERCIM), Stephen Farrell (Trinity College, Dublin)
Salzburg, Austria, September 19-21, 2005
On-line slides available at http://www.w3.org/2005/Talks/0919-CMS2005/
Locate Request. The client wants to extract the public-key key from a certificate.
<LocateRequest xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="I749230b6fd389a038a639846a9399b12" Service="http://markupsecurity.com:4080/xkms/service/soap12" xmlns="http://www.w3.org/2002/03/xkms#"> <RespondWith>http://www.w3.org/2002/03/xkms#KeyValue</RespondWith> <QueryKeyBinding> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIClzCCAg... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </QueryKeyBinding> </LocateRequest>
Locate Response. The Server DOES not report the revocation status or trustworthiness of the certificate.
<LocateResult xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="I7f6ac825f8ba901ef65b705273fa731c" Service="http://markupsecurity.com:4080/xkms/service/soap12" ResultMajor="http://www.w3.org/2002/03/xkms#Success" RequestId="I749230b6fd389a038a639846a9399b12" xmlns="http://www.w3.org/2002/03/xkms#"> <UnverifiedKeyBinding Id="I74509207b634bacd36ef9d993b789ab2"> <ds:KeyInfo> <ds:KeyValue> <ds:RSAKeyValue> <ds:Modulus> zcd/HfKPNiiXdKgTw9WX4ISsdU/... </ds:Modulus> <ds:Exponent>AQAB</ds:Exponent> </ds:RSAKeyValue> </ds:KeyValue> </ds:KeyInfo> <KeyUsage>http://www.w3.org/2002/03/xkms#Signature</KeyUsage> <KeyUsage>http://www.w3.org/2002/03/xkms#Encryption</KeyUsage> <KeyUsage>http://www.w3.org/2002/03/xkms#Exchange</KeyUsage> <UseKeyWith Application="urn:ietf:rfc:2633" Identifier="alice@example.com" /> </UnverifiedKeyBinding> </LocateResult>
Validate Request. Verifying the validity of a public-key certificate used for signing a message.
<ValidateRequest Id="If774ba9573bef692a15de94a4e75993b" Service="http://markupsecurity.com:4080/xkms/service/soap12" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns="http://www.w3.org/2002/03/xkms#"> <RespondWith>http://www.w3.org/2002/03/xkms#X509Cert</RespondWith> <QueryKeyBinding> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIICpzCCAhCgAwIBAgIBZDANBg... </ds:X509Certificate> <ds:X509Certificate> MIIClzCCAgCgAwIBAgICAMgwDQ... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <KeyUsage>http://www.w3.org/2002/03/xkms#Signature</KeyUsage> <UseKeyWith Application="urn:ietf:rfc:2633" Identifier="alice@example.com" /> </QueryKeyBinding> </ValidateRequest>
Validate Response. The certificate is valid. The server signed the response.
<ValidateResult Id="I7f6ac825f8ba901ef65b705273fa731c" Service="http://markupsecurity.com:4080/xkms/service/soap12" ResultMajor="http://www.w3.org/2002/03/xkms#Success" RequestId="If774ba9573bef692a15de94a4e75993b" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns="http://www.w3.org/2002/03/xkms#"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#I7f6ac825f8ba901ef65b705273fa731c"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>jbyngZtDC59pt2FBe3C36pE02gU=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> f75Eao4WKbf... </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIICmjCCAgOgAw... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <KeyBinding Id="I39f74868a9b994839120351b75fe7292"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIClzCCAgCgAw... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <KeyUsage>http://www.w3.org/2002/03/xkms#Signature</KeyUsage> <KeyUsage>http://www.w3.org/2002/03/xkms#Encryption</KeyUsage> <KeyUsage>http://www.w3.org/2002/03/xkms#Exchange</KeyUsage> <UseKeyWith Application="urn:ietf:rfc:2633" Identifier="alice@example.com" /> <ValidityInterval NotBefore="2004-09-19T21:49:26Z" NotOnOrAfter="2005-09-19T21:49:26Z" /> <Status StatusValue="http://www.w3.org/2002/03/xkms#Valid"> <ValidReason>http://www.w3.org/2002/03/xkms#Signature</ValidReason> <ValidReason>http://www.w3.org/2002/03/xkms#IssuerTrust</ValidReason> <ValidReason>http://www.w3.org/2002/03/xkms#RevocationStatus</ValidReason> <ValidReason>http://www.w3.org/2002/03/xkms#ValidityInterval</ValidReason> </Status> </KeyBinding> </ValidateResult>
The client requests a binding for a public-key. The request is signed using HMAC-SHA1 and a shared secret (authentication). The client signed the request with its private key (proof of possesion).
<RegisterRequest Id="I947be832f90172b7ef83ac29374fbe84" Service="http://markupsecurity.com:4080/xkms/service/soap12" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns="http://www.w3.org/2002/03/xkms#"> <RespondWith>http://www.w3.org/2002/03/xkms#X509Chain</RespondWith> <PrototypeKeyBinding Id="If9e462740f5ea7389ba83940bfa88cbe"> <ds:KeyInfo> <ds:KeyValue> <ds:DSAKeyValue> <ds:P> +P61+BdBwklgAGAkGz5D/aGt7X8VvDJcJ8vhqHijFHb0yIQGmB0zzZF59JpwH70o ... </ds:DSAKeyValue> </ds:KeyValue> </ds:KeyInfo> <KeyUsage>http://www.w3.org/2002/03/xkms#Signature</KeyUsage> <UseKeyWith Application="urn:ietf:rfc:2633" Identifier="deirdre@example.com" /> <ValidityInterval NotOnOrAfter="2006-03-23T23:06:00Z"/> <RevocationCodeIdentifier>UWAZyd0KloHX5p9wfbSghCB1BkE=</RevocationCodeIdentifier> </PrototypeKeyBinding> <Authentication> <KeyBindingAuthentication> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <ds:Reference URI="#If9e462740f5ea7389ba83940bfa88cbe"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>nz1IL7Vvd/Rtt+RkDQHmisqmfC0=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>mL9n63rTMN+ozXCIGwAkGmTff8o=</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName>Deirdre</ds:KeyName> </ds:KeyInfo> </ds:Signature> </KeyBindingAuthentication> </Authentication> <ProofOfPossession> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <ds:Reference URI="#If9e462740f5ea7389ba83940bfa88cbe"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>nz1IL7Vvd/Rtt+RkDQHmisqmfC0=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>IGi2iOKo...</ds:SignatureValue> </ds:Signature> </ProofOfPossession> </RegisterRequest>
Register Result. The server returns the binding as a public-key certificate. The reply is signed by the server.
<RegisterResult Id="I84029cbe839123ae703ef38274be9d81" Service="http://markupsecurity.com:4080/xkms/service/soap12" ResultMajor="http://www.w3.org/2002/03/xkms#Success" RequestId="I947be832f90172b7ef83ac29374fbe84" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns="http://www.w3.org/2002/03/xkms#"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <ds:Reference URI="#I84029cbe839123ae703ef38274be9d81"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>AaBGKgmYTcwtE0nEuh7MpRfQqrs=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>MBMgyEDI9KRjAYel...</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDWTCCAxmgAwIBAgIBZTAJBgcqhkjOOAQDMEMxCzAJBgNVBAYTAklFMQ8wDQYD ... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <KeyBinding Id="I7493b386ef36a839d0eb983028392030"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIDZTCCAyWgAwI... </ds:X509Certificate> <ds:X509Certificate> MIIDWDCAxe... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <KeyUsage>http://www.w3.org/2002/03/xkms#Signature</KeyUsage> a <UseKeyWith Application="urn:ietf:rfc:2633" Identifier="deirdre@example.com" /> <Status StatusValue="http://www.w3.org/2002/03/xkms#Valid"> <ValidReason>http://www.w3.org/2002/03/xkms#Signature</ValidReason> <ValidReason>http://www.w3.org/2002/03/xkms#IssuerTrust</ValidReason> <ValidReason>http://www.w3.org/2002/03/xkms#RevocationStatus</ValidReason> <ValidReason>http://www.w3.org/2002/03/xkms#ValidityInterval</ValidReason> </Status> </KeyBinding> </RegisterResult>
Example: ignoring the expiration date