XML Key Management Requirements

W3C Working Draft 30 January 2002

This version:
Latest version:
Previous version:
Frederick Hirsch, Zolera Systems, Inc. <fjh@alum.mit.edu>
Mike Just, Entrust, Inc., <mike.just@entrust.com>


This document lists the design principles, scope and requirements for XML Key Management specifications and trust server key management implementations. It includes requirements as they relate to the key management syntax, processing, security and coordination with other standards activities.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. [RFC 2119].

Status of this Document

This is a Working Draft of requirements for the first release of specifications from the XML Key Management Working Group. Previous drafts of this document reflected requirements from various sources, including the XML Key Management Working Group Proposal [XKMSProposal], Charter [XKMSCharter], XML Trust Center Change Proposal [XKMSChange], July 2001 Workshop position papers [XKMSPositionPapers] and Workshop meeting minutes [XKMSWorkshopMinutes], comments from the (temporary) mail list [XKMSWorkshopList], and the November 14, 2001 teleconference [RequirementsTeleCon]. This latest version incorporates discussion from the December 9, 2001 XKMS requirements meeting and the January 23, 2002 teleconference.

Publication of this document does not imply endorsement by the W3C membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite a W3C Working Draft as anything other than a "work in progress." A list of current W3C working drafts can be found at http://www.w3.org/TR/.

These requirements will be reflected in the XKMS recommendation, as well as additional optional recommendations in the XKMS work group charter, such as Bulk Key registration. Wherever "specification" is used in this document, it refers to the core XKMS recommendation as well as any additional associated specifications.

Please send comments to the editors <fjh@alum.mit.edu>, <mike.just@entrust.com> and cc: the mailing list: www-xkms@w3.org

Table of Contents

  1. Introduction and Terminology
  2. Requirements
    1. Universality and Usability
    2. Security Model
    3. Trust Server
    4. Protocol Capabilities and Format
    5. Objects and Processing
  3. Out of Scope
  4. Coordination
  5. Intellectual Property
  6. References

1 -- Introduction and Terminology

XML-based public key management should be designed to meet two general goals. The first is to support a simple client's ability to make use of sophisticated key management functionality. The second is to provide public key management support to XML applications that is consistent with the XML [XML] architectural approach. In particular, it is a goal of XML key management to support the public key management requirements of XML Encryption [XML Encryption] and XML Digital Signature [XMLDSIG] and to be consistent with the Security Assertion Markup Language [SAML]. This specification provides requirements for XML key management consistent with these goals.

The following terms and phrases are used throughout the remainder of this draft.

4-Corner Model
A processing and/or trust environment where end-entities interact with a single trusted point of contact, and each such contact has a peerwise trust relationship with all other contacts.
Asynchronous exchange
An exchange where the synchronous service response is incomplete, requiring the client to perform a subsequent request at some later time.  For example, client registration may require time consuming checks where it is more practical for a client to return at a later time for their completed response. For XML Key Management all requests producing asynchronous results MUST produce a synchronous response status indicating an incomplete response, such as "Pending", for example. Such responses MAY also provide a URL for the client to check back to obtain the complete response at a later time.
An application that makes requests of a service. The concept of a "client" is relative to a service request; an application may have the role of client for some request and service for others.
Deferred Request Authentication
A mechanism to allow a client to verify that the server processed the correct request. The client may verify the server response, for example, by comparing the elements returned in the response, or comparing a digest of the request with a digest returned in a secured response. This ensures that an attacker has not diverted or otherwise changed portions of a request. For example, a client request might be directed to a particular URI so that a specific policy will be enforced as part of the service processing the request. Inclusion of the URI in the response ensures that the expected server policy was followed and that the request was conveyed correctly.
Key Validation
A service that verifies the binding of information to a public key and also determines the current status of that binding, if appropriate or possible for the information in question. For example, key validation [SECGL] may be performed based on elements secured to a public key in an X.509 certificate as outlined in PKIX [RFC 2459].
Key Binding
An XML element suitable for associating additional information with a public key. This element might be used to convey status and validity period information for key validity queries or used to convey private key information as part of a registration request or response.
Key Name
A property defined in the XML Digital Signature recommendation, allowing a name to be associated with a key within a <ds:KeyInfo> element. The Key Name property is not required and when associated with a key in registration is not required to be a unique identifier for a key.
Pass Phrase Key
A key derived from a pass phrase may be used for authentication in circumstances where public key based authentication is not possible.
Payload Security
The XKMS request or response XML obtains integrity and/or confidentiality by being signed and/or encrypted, using an XML digital signature or XML encryption. The signature itself may be placed in the SOAP header when using a SOAP binding, for example. This is in contrast to transport integrity, where a SOAP message containing the XKMS payload is secured using TLS or other transport security mechanisms.
Proof of Possession (PoP)
Performing an action with a private key to demonstrate possession of the key. An example is creating a signature using a private signing key being registered, to prove possession of that key.
An application that provides computational or informational resources on request. A service may be provided by several physical servers operating as a unit.
Transport Layer Security, a protocol layer designed to provide message integrity and confidentiality for a message during transit between two endpoints. An earlier version is known as SSL, the Secure Socket Layer [TLS].
Trust Service
A service that is capable of registering public keys and/or providing key information services, including key validation and location.
Web Service
A service that is accessible by means of messages sent using standard web protocols, notations and naming conventions, including XML Protocol (or until XML protocol is standardized, SOAP). Web service may also imply the use of ancillary mechanisms, such as WSDL for defining Web services interfaces.

2 -- Requirements

Familiarity with the W3C XKMS Note [XKMS Note] is assumed for this section.

2.1 Universality and Usability

  1. Request and response messages SHOULD be extensible.
  2. All messages and data structures MUST be specified in XML, using XML Schema [XMLSchema]. Schema validation is not required of applications or trust server implementations.
  3. Use of optional features is discouraged. Use of unbounded XML element schema definitions and optional elements SHOULD be justified.
  4. The specification MUST provide a binding to SOAP 1.1 [ SOAP ] and migrate to XML Protocol [XMLProtocol] once defined [List(Blair Dillaway)]. The XKMS specification is required to profile SOAP for interoperability, including use of document literal encoding.
  5. The design MUST be transport protocol agnostic - SOAP content may be carried over different transport protocols. [List(Blair Dillaway)]
  6. The specification MUST ensure the correspondence of responses with requests, aiding correlation of asynchronous responses with requests and also ensuring that the appropriate request was processed according to the expected policy.
  7. The specification SHOULD NOT require clients to implement traditional PKI processing such as ASN.1, certificate revocation or certificate chain processing. Usability and simplicity are paramount to enable client, to obtain the benefits of public key technology. {Reuters} [XKMSPositionPapers].
  8. The specification SHOULD clearly define the set of responses expected by a client for each type of request and clearly define the expected actions of a client receiving those responses. For example, responses that apply to a validation request, will not necessarily apply to a registration request.
  9. Underlying PKI or other trust server mechanisms SHOULD be transparent to the client, with exception that credentials such as X.509 certificates may be explicitly retrieved. This should leverage the <ds:KeyInfo> work. {IAIK position} [XKMSPositionPapers]
  10. A mechanism for versioning SHOULD be defined. If a good reason exists for an approach other than XML Namespaces, it MUST be justified.
  11. Server support for legacy formats such as PKCS#10 and PKCS#7 SHOULD be defined, but their support is OPTIONAL. An example use is in smartcard personalization or bulk registration applications.
  12. XKMS MUST be usable in a 4-corner application model. Specifically an XKMS server SHOULD be able to pass requests to another XKMS server for processing without excessive overhead. The definition of server chaining and referral messages are out of scope, but such mechanisms SHOULD not be precluded.

2.2 Security Model

    [Data Confidentiality and Integrity]

  1. Every trust service MUST support all three integrity and confidentially mechanisms: TLS, payload security, and no-security (the assumption of no-security is that security will be provided by another mechanism such as IPSec). Every client MUST support at least one of these mechanisms.
  2. Payload security MUST be based on XML Encryption and XML Signature and MAY be useable to secure the body content of SOAP messages. Individual elements of XML Key Management protocol messages SHOULD not be encrypted, except for the Private element which is a special case (since it transports a private key) and MUST be encrypted using XML encryption.
  3. The specification MUST define how XML Key Management messages and transactions can be secured (for confidentiality and integrity) where payload security is not implemented. In particular, the specification MUST define how the use of transport layer security such as SSL/TLS. The specification MUST profile TLS, by requiring a subset of the defined cipher suites to be supported, for example.
  4. The security section of the specification SHOULD recommend that at least one form of integrity and confidentiality protection of service requests and responses be used by applications, either transport security or payload protection.

    [Transaction Security]

  5. All trust server responses MUST include a digest of the request payload and the request URL.
  6. Techniques for protection against replay attacks MUST be recommended in the security considerations section. Specific techniques SHOULD be defined, such as nonce, origination time, and serial numbers in requests, for example.

    [Trust Service Trust]

  7. The specification must indicate that trust services MUST make their public keying information (i.e. the public keys to be used to authenticate the trust service) publicly available in at least the <ds:KeyValue> format, since that is the minimal [XMLDSIG] key representation.
  8. The specification SHOULD support different means of establishing a trust relationship with the trust service, and not be limited to client caching of a trusted certificate or trusted key.


  9. The specification MUST allow use of user-generated pass phrases as a means of proving ownership of a key(s) previously registered key binding.
  10. The specification MUST provide a means of employing a secret, agreed out-of-band, between the registration service and end-user as a means of authorizing a registration action. [List(Blair Dillaway)]


  11. The specification MUST state in the security section that concerns over the privacy of registration information may be addressed through server P3P privacy policies. The definition and retrieval mechanisms for these policies are defined in the P3P recommendation and do not require definition in the XKMS specifications [P3P].

    [Security considerations]

  12. The specification MUST include a discussion of potential vulnerabilities and recommended practices when using the defined processing model in a larger application context. While it is impossible to predict all the ways the specification may be used, the discussion SHOULD alert users to ways in which potentially subtle weaknesses might be introduced. At a minimum, security issues arising from known plain-text and data length information MUST be addressed.

2.3. Trust Server

  1. Provide server introspection - the means to request and obtain a response indicating services trust server supports (RetrievalMethod, Locate, Validate etc.)
  2. Selection of differently configured trust services SHOULD use standard HTTP binding techniques such as URLs, rather than requiring the XKMS protocol to define this functionality. For example, a URL may be used to define access to a trust service and possibly distinguish the underlying technologies (e.g. PGP, X509 etc.).
  3. The specification SHOULD support asynchronous registration responses.
  4. More generally, the specification SHOULD allow asynchronous transport of both registration requests and responses, but not require this of trust servers.

2.4. Protocol Capabilities and Formats


  1. The specification MUST describe how to register key information, and in particular, associate additional information with the public key. A public key pair may be generated at a client and the public key registered with the trust service; a key pair may be generated at the trust service and the private key may be delivered to the client.
  2. The specification MUST describe how to revoke a registered key binding.
  3. The specification MUST describe how to update registered public key information.
  4. The specification MUST describe how to support a user recovering their own private key, such as might be needed to restore a lost private encryption key. This requirement does not imply any form of key escrow as used in the sense of mandated government access to private keys.
  5. The specification MUST describe how to register more than one public key in a single registration request, supporting bulk registration.
  6. The specification MUST describe how to request an update as to the status of a multi-key request.
  7. The specification MUST define a request for retrieving a public key, given a <ds:KeyInfo> element containing one or more children containing key information. The mechanism of processing KeyInfo and obtaining the key is implementation dependent, but a server MUST be able to return key information corresponding to a KeyInfo returned in a registration response from the same server. Population of the server database for responding to service requests (locate and validate) is out of scope and implementation specific.
  8. This specification MUST define a protocol for validating the status of a public key and additionally validating the binding between a public key and other related information.
  9. The specification MUST describe how a client can specify or determine the context in which a public key binding will be validated {Certicom, Microsoft, Sun, Zolera} [XKMSPositionPapers]. Context enables 4-corner model support for example.  As another example, the context may include the trust anchors and certificate policies the client wants the server to use for validation. [List(Yassir Elley)]


  10. The specification MUST define payload and header XML formats, providing SOAP 1.1 bindings and XML Protocol bindings once XML Protocol is defined. XML Protocol bindings may be published as a separate document from the XKMS recommendation, to avoid dependencies on the XML Protocol schedule. SOAP 1.1 need not be the only binding defined, but is required. [List(Blair Dillaway)] The SOAP 1.1. binding MUST support SOAP 1.1, modified to use the W3C XML Schema definitions [SOAP Schemas].
  11. The specification MUST define how to convey application context in requests/responses, e.g. transaction amount, arbitrary XML {Microsoft, Sun}
  12. All formats SHOULD permit application/trust server extension through the use of additional elements in another namespace.
  13. The specification MUST define a unified request/response mechanism across services (Locate, Validate etc.), including uniform error responses, query and response formats.
  14. The specification MUST permit opaque data to be associated with a request and returned with the corresponding response.
  15. The specification MUST define which requests are idempotent (can repeat without ill effect), and which are not.
  16. The specification MUST define a protocol which provides the means to match requests and responses.
  17. A client SHOULD be able to control the number of key bindings in a response returned (e.g. specify the maximum to be returned).
  18. The specification MUST use schema typing and namespace support for the <Respond> element in <Locate> and <Validate>  responses (rather than strings). {Reagle}, [WorkshopMeeting]
  19. A Validate request MAY also include values to be Located and returned in the response.
  20. The specification MUST allow the server to return a subset or superset of the elements requested by the clients. {Reagle} [WorkshopMeeting]. Security implications MUST be discussed in the Security Concerns section of the specification.
  21. The specification SHOULD define a mechanism so that responses include both a list of valid key bindings, and a list of invalid key bindings, removing the ambiguity possible with valid, invalid and indeterminate key binding status possibilities combined with a single type of response. {Salz} [XKMS developers list]

2.5. Objects and Processing

  1. The specification SHOULD define how to register a key for specific uses and how to update the allowed uses over time. [XKMSPositionPapers ]
  2. The specification SHOULD enable finer granularity of key usage definition to support compliance requirements. Signatures may be supported for specific purposes, such as approval, authorship or integrity for example. One possible way of meeting this requirement is to define a <Purpose> subtype for the <KeyUsage> element.
  3. Key bindings MUST have issuers associated with them.
  4. The following KeyInfo formats MUST be supported: KeyName, KeyValue, RetrievalMethod and MgmtData.
    The following KeyInfo formats MUST be supported by a trust server if the service claims interoperability with PX509: X509Cert, X509Chain and X509CRL. X509Chain MUST be defined in the XKMS specifications. The other KeyInfo formats are defined in the XML Signature recommendation.
    The XKMS registration Private format which MUST be supported if the service supports either service generated key pairs or key recovery. [List(Sébastien Pouliot)]
  5. Exclusive Canonicalization [ExclusiveCanonicalization] support is required to assure robust XML digital signatures when the context of the XKMS content may be changed, such as in the case of intermediate SOAP processors altering the SOAP envelope context.
  6. XML Key Management applications MUST be XML-namespaces [XML-namespaces] aware.
  7. XML Key Management applications MUST be XML Schema [XML-schema] aware in that they create XML Key Management instances conforming to the key management schema definitions. {Reagle} Schema validation is not required.
  8. Implementation of the specification SHOULD work with existing XML parser and schema implementations. However, alterations to particular DOM and/or XML parser implementations may prove beneficial in terms of simplifying application development or improving  runtime efficiency. These details are outside the scope of the XML Key Management specification.
  9. The specification SHOULD be compatible with the use of authentication mechanisms carried in SOAP/XML Protocol messages and/or the transport protocol. XKMS SHOULD not define any new authentication mechanism beyond key proof of possession.
  10. The specification MUST describe how to provide proof of possession of private keys.
  11. The KeyInfo returned in a registration response SHOULD be a unique key identifier for the responder for subsequent service requests. Subsetting this KeyInfo may make this not true. Server implementations may define uniqueness properties and relate them to clients - how this is done is implementation dependent.

3. Out of Scope

These items are out of scope (at least for the initial specifications produced by the working group). In some cases an in-scope requirement (e.g. the ability to use XKMS in the context of the 4 corner model) may imply some of this functionality, but that does not mean the XKMS specification is required to define that functionality.
  1. Design of new cryptographic algorithms.
  2. Issues of non-repudiation, including but not limited to 'technical non-repudiation' and 'contractual non-repudiation'.
  3. Sources of trusted time.
  4. Models and data structures for establishing inter-domain trust, including but not limited to 'cross-certification'.
  5. Expression of existing PKI data structures in XML.
  6. Specification of inter-domain trust semantics.
  7. Authorization issues and more specifically authorization assertions (e.g. SAML).
  8. Attribute certificates.
  9. Knowledge representation syntax.
  10. Audit management.
  11. Establishment of trust server key authority delegation [XTAML]. This does not preclude requiring the ability to sign/encrypt requests and responses, nor preclude discussion of establishing trust with the XKMS Trust server. [List (Stephen Farrell)]
  12. The XML Key Management recommendation will not define generic mechanisms for securing SOAP or XML Protocol, but rather define a payload security mechanism. A goal is to reduce external standards dependencies. [List(Blair Dillaway)]
  13. Issues of anonymous access and service use are not the primary focus of the work, but may be supported.
  14. Private key retrieval services that extend beyond the return of a service-generated private key as part of registration (e.g. Roaming).
  15. Server chaining and referral mechanisms.
  16. XML Key Management of symmetric keys.
  17. Caching support.

4 -- Coordination

Coordination with other groups is as specified in the Charter [Charter].

5 -- Intellectual Property

Intellectual property issues are as in the Charter [Charter].

6 -- References

Document Object Model Core, Level 3. Arnaud Le Hors. W3C Working Draft. January 2001.
Exclusive Canonicalization - work in progress
RFC2046. MIME Part Two: Media Types  November 1996.
P3P Working Draft
RFC 2119
"Key words for use in RFCs to Indicate Requirement Levels", S. Bradner, March 1997, RFC 2119, http://www.ietf.org/rfc/rfc2119.txt
RFC 2459
"Internet X.509 Public Key Infrastructure Certificate and CRL Profile",R. Housley, W. Ford, W. Polk, D. Solo, January 1999, RFC 2459 http://www.ietf.org/rfc/rfc2459.txt
Security Assertion Markup Language (SAML), http://www.oasis-open.org/committees/security/docs/
Simple Object Access Protocol (SOAP) 1.1, W3C Note 08 May 2000, http://www.w3.org/TR/SOAP/
SOAP Schemas
http://schemas.xmlsoap.org/soap/encoding/ and http://schemas.xmlsoap.org/soap/envelope/
The TLS Protocol, Version 1.0, RFC 2246, T. Dierks, C. Allen, http://www.ietf.org/rfc/rfc2246.txt
XKMS Change Proposal
XKMS Charter
XKMS Workshop Mail List
XKMS 1.1 W3C Note
XKMS Workshop Meeting Minutes
XKMS Workshop Position Papers
XKMS Requirements Teleconference
Extensible Markup Language (XML) 1.0 Recommendation. T. Bray, J. Paoli, C. M. Sperberg-McQueen. February 1998.
Canonical XML. W3C Recommendation. J. Boyer. March 2001.
XML-Signature Syntax and Processing. W3C Proposed Recommendation. D. Eastlake, J. Reagle, and D. Solo. August 2001. (http://www.w3.org/TR/2001/PR-xmldsig-core-20010820/)
XML Signature Requirements. W3C Working Draft. J. Reagle. October 1999. (http://www.w3.org/TR/xmldsig-requirements )
XML Encryption
XML Encryption Syntax and Processing. W3C Working Draft. T. Imamura, B. Dillaway, J. Schaad, E. Simon. October 2001. (http://www.w3.org/TR/xmlenc-core/)
XML Encryption Requirements. W3C Working Draft. J. Reagle. October 2001. (http://www.w3.org/TR/xml-encryption-req)
Namespaces in XML Recommendation. T. Bray, D. Hollander, A. Layman. January 1999.
XML Protocol
XML Schema Part 1: Structures W3C Recommendation. D. Beech, M. Maloney, N. Mendelsohn, H. Thompson. May 2001.
XML Schema Part 2: Datatypes W3C Recommendation. P. Biron, A. Malhotra. May 2001.
RFC2396. Uniform Resource Identifiers (URI): Generic Syntax. T. Berners-Lee, R. Fielding, L. Masinter. August 1998