openOSI Web Services - XML Key management

	OASIS & W3C standards and certificates

Back home

OpenOSI is mostly interested in the OASIS security effort which is recognized as a major one in the field of Web Services in general. We focus on X509 certificates implementation.

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence, and adoption of e-business standards. The consortium produces Web services standards along with standards for security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 5,000 participants representing over 600 organizations and individual members in 100 countries

As with OASIS, openOSI is mostly interested in Privacy and security devlopments. We focus on X509 certificates implementation (XKMS).

The World Wide Web Consortium (W3C) develops interoperable technologies (specifications, guidelines, software, and tools) to lead the Web to its full potential. W3C is a forum for information,
commerce, communication, and collective understanding.

X.509 Token Profile 1.1: How to use X.509 Certificates with the Web Services Security: SOAP Message Security specification [WS-Security] specification.

Produced by OASIS Web Services Security TC in february 2006.

Web Services Security X.509 Certificate Token Profile: How to use X.509 Certificates with the Web Services Security: SOAP Message Security specification [WS-Security] specification.

Produced by OASIS Web Services Security TC in march 2004.

x.509 implementation is part of the suite of Web Services Security (WSS) suite describing attachment of security token like "X509SubjectName" in the form of a dn (distinguished name).

Core specification include SOAP messages security describing enhancements to SOAP messaging to provide message integrity and confidentiality. SAML token profile describes how to use Security Assertion Markup Language (SAML) V1.1 and V2.0 assertions with the Web Services Security (WSS): SOAP Message Security V1.1 specification.

x.509 certificates are also part of XML key management (XKMS) By design, the XML Signature Specification does not mandate use of a particular trust policy. The signer of a document is not required to include any key information but may include a <ds:KeyInfo> element that specifies a X.509 certificate. The signer of a document may wish to refer verifiers to a chain of X.509 certificates without having to attach them. <ds:RetrievalMethod> consists of a location on the web from which the certificate chain may be retrieved, a method, and a type

A protocols for distributing and registering public keys, suitable for use in conjunction with the proposed standard for XML Signature [XML-SIG] developed by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) and an anticipated companion standard for XML encryption. The XML Key Management Specification (XKMS) comprises two parts -- the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS).

XML signature is a core element of WS security. This standard specifies XML digital signature processing rules and syntax. XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere. Several security realm can be used in the form of "data element', including an X.509 data element.

Many XML specifications, including XrML for digital rights management (DRM) evolve toward abstract specification of security services, allowing to rely on existing core specifications like XML signature and XML encryption (see below).

XML encryption is another core element of WS security. This standard specifies a process for encrypting data and representing the result in XML. The data may be arbitrary data (including an XML document), an XML element, or XML element content. The result of encrypting data is an XML Encryption element which contains or references the cipher data. But relies on existing "agreement method" like X509Data.

As with XML signature, many XML specifications rely on XML encryption, therefore allowing use of X.509 certificates.

openOSI see a link between Certificates practice statements, use of x.509 certificates by a web site and the Platform for Privacy Preferences developed by W3C .

The Platform for Privacy Preferences Project (P3P) enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. P3P user agents will allow users to be informed of site practices (in both machine- and human-readable formats) and to automate decision-making based on these practices when appropriate. Thus users need not read the privacy policies at every site they visit.