XML Key Management (XKMS 2.0) Requirements

W3C Note 05 May 2003

This version:

http://www.w3.org/TR/2003/NOTE-xkms2-req-20030505

Latest version:

http://www.w3.org/TR/xkms2-req

Previous version:

http://www.w3.org/TR/2002/WD-xkms2-req-20020318

Editors:

Frederick Hirsch, Nokia, <[email protected]>

Mike Just, Treasury Board of Canada Secretariat (TBS), <[email protected]>

Copyright © 2003 W3C^® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark, document use and software licensing rules apply.

---

Table of Contents

1. Introduction and Terminology
2. Requirements
3. 1. Universality and Usability
   2. Security Model
   3. Trust Server
   4. Protocol Capabilities and Format
   5. Objects and Processing
4. Out of Scope
5. Coordination
6. Intellectual Property
7. References

1 Introduction and Terminology

XML key management services will primarily be of interest to clients that intend to communicate using XML-based protocols bound to SOAP. It may be that such clients will not have sufficient ASN.1 capabilities in which case the benefits of offloading the parsing of certificates and other traditional PKI structures (e.g. CRLs or OCSP responses) is clear. Clients which possess such capabilities and have no preference to work with XML-based protocols may opt to use non-XML-based protocols defined by PKIX, for example.

The following terms and phrases are used throughout the remainder of this draft.

4-Corner Model

A processing and/or trust environment where each end-entity interacts with a single trusted point of contact, and each such contact has a peerwise trust relationship with all other contacts[4-corner model].

Asynchronous exchange

An exchange where the synchronous service response is incomplete, requiring the client to perform a subsequent request at some later time. When client registration requires time consuming checks it is more practical for a client to return at a later time for a completed response, for example. For XML Key Management all requests producing asynchronous results MUST produce a synchronous response status indicating an incomplete response, such as "Pending", for example. Such responses might also provide a URL for the client to check back to obtain the complete response at a later time.

Client

An application that makes requests of a service. The concept of a "client" is relative to a service request; an application may have the role of client for some request and service for others.

Deferred Request Authentication

A mechanism to allow a client to verify that the server processed the correct request. The client may verify the server response, for example, by comparing the elements returned in the response, or comparing a digest of the request with a digest returned in a secured response. This ensures that an attacker has not diverted or otherwise changed portions of a request. For example, a client request might be directed to a particular URI so that a specific policy will be enforced as part of the service processing the request. Inclusion of the URI in the response ensures that the expected server policy was followed and that the request was conveyed correctly.

Key

An input parameter that varies the transformation performed by a cryptographic algorithm [RFC2828]. For the purpose of XML key management we specifically mean public keys and private keys as used in a public key cryptosystem.

Key Management

Key management relates to the management of a public key's validity status over its lifetime. Typically, operations are defined for controlling the validity (e.g. register, revoke) and querying the validity.

Key Binding

A property associating additional information with a public key. This might be used to convey status and validity period information for key validity queries or used to convey private key information as part of a registration request or response.

Key Location

A service that locates and returns a public key given identifying information for the key. Generally the request will include a KeyInfo element containing information sufficient for the service to locate the key. A common example is to provide the key name.

Key Name

A property defined in the XML Digital Signature recommendation, allowing a name to be associated with a key within a <ds:KeyInfo> element. The Key Name property is not required and when associated with a key in registration is not required to be a unique identifier for that key.

Key Validation

A service that verifies the binding of information to a public key and also determines the current status of that binding, if appropriate or possible for the information in question. For example, key validation [SECGL] may be performed based on elements secured to a public key in an X.509 certificate as outlined in PKIX [RFC 2459].

Pass Phrase Key

A key derived from a pass phrase may be used for authentication in circumstances where public key based authentication is not possible.

Payload Security

The XKMS request or response XML obtains integrity and/or confidentiality by being signed using an XML digital signature and/or encrypted using XML Encryption. The signature itself may be placed in the SOAP header when using a SOAP binding, for example. This is in contrast to transport integrity, where a SOAP message containing the XKMS payload is secured using TLS or other transport security mechanisms.

Proof of Possession (POP)

Performing an action with a private key to demonstrate possession of it. An example is to create a signature using a registered private signing key to prove possession of it.

Service

An application that provides computational or informational resources on request. A service may be provided by several physical servers operating as a unit.

TLS

Transport Layer Security, a protocol layer designed to provide message integrity and confidentiality for a message during transit between two endpoints. An earlier version is known as SSL, the Secure Socket Layer [TLS].

Trust Service

A service that is capable of registering public keys and/or providing key information services, including key validation and location.

Web Service

A service that is accessible by means of messages sent using standard web protocols, notations and naming conventions, including XML Protocol (or until XML protocol is standardized, SOAP). Web service may also imply the use of ancillary mechanisms, such as WSDL [WSDL ] and UDDI [ UDDI ] for defining Web services interfaces.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. [RFC 2119].

2 Requirements

2.1 Universality and Usability

1. Request and response messages SHOULD be extensible.
2. All messages and data structures MUST be specified in XML using XML Schema [XMLSchema]. Schema validation is not required of applications or trust server implementations. Clients and servers are not required to implement a general purpose XML parsing capability. Note that common PKIX structures such as X.509 certificate and CRL structures may be embedded as binary (base64 encoded) data within XML elements as indicated by the KeyInfo definition [ XMLDSig ].Applications which expect to process X.509 certificates will require ASN.1 and certificate processing capabilities.
3. Use of optional features is discouraged. Optional features SHOULD be justified in the specification.
4. The specification MUST provide a binding to XML Protocol (SOAP 1.2), provided that the SOAP 1.2 specification has reached Candidate Recommendation (CR) status prior to the XKMS WG completing its work. In this case the specification SHOULD also provide a binding to SOAP 1.1 (for interoperability purposes). If SOAP 1.2 has not reached CR status then the specification MUST provide a binding to SOAP 1.1. The XKMS specification SOAP binding is required to profile SOAP for interoperability, including use of document literal encoding. [ SOAP ] [XMLProtocol] [List( Blair Dillaway)].
5. XKMS services MUST implement SOAP 1.2 once that specification has achieved Candidate Recommendation status.
6. The design MUST be transport protocol agnostic - SOAP content may be carried over different transport protocols. [List( Blair Dillaway)]
7. The specification MUST ensure the correspondence of responses with requests, aiding correlation of asynchronous responses with requests and also ensuring that the appropriate request was processed.
8. The specification MUST NOT require clients to implement traditional PKI processing such as ASN.1, certificate revocation or certificate chain processing. Usability and simplicity are paramount to enable clients to obtain the benefits of public key technology. {Reuters} [XKMSPositionPapers].
9. The specification MUST clearly define the set of responses expected by a client for each type of request and clearly define the expected actions of a client receiving those responses. For example, responses that apply to a validation request will not necessarily apply to a registration request.
10. Underlying PKI or other trust server mechanisms SHOULD be transparent to the client, with exception that credentials such as X.509 certificates may be explicitly retrieved. This should leverage the <ds:KeyInfo> work. {IAIK position} [XKMSPositionPapers]
11. A mechanism for versioning SHOULD be defined. If a good reason exists for an approach other than XML Namespaces, it MUST be justified.
12. Server support for legacy formats such as PKCS#10 and PKCS#7 SHOULD be defined, but their support is OPTIONAL. An example use is in smartcard personalization or bulk registration applications.
13. An XKMS server SHOULD be able to pass requests to another XKMS server for processing with minimal overhead. The definition of server chaining and referral messages are out of scope, but such mechanisms SHOULD NOT be precluded. An example of meeting this requirement is to provide support for a 4 corner application model [4-corner model].
14. Use of XML elements with unbounded maxOccurs schema values SHOULD be justified in the specification.

2.2 Security Model

1. Every trust service MUST support TLS and payload security. Trust services MAY support secure networks such as IPSec for integrity and confidentiality. Every client MUST support at least one of these mechanisms appropriate for the servers contacted.
2. Payload security MUST be based on XML Encryption and XML Signature and MAY be usable to secure the body content of SOAP messages. Individual elements of XML Key Management protocol messages SHOULD not be encrypted, except for the Private element which is a special case (since it transports a private key) and MUST be encrypted using XML Encryption. Exclusive Canonicalization SHOULD be used as the XML Digital Signature canonicalization method.
3. The specification MUST define how XML Key Management messages and transactions can be secured (for confidentiality and integrity) where payload security is not implemented. In particular, the specification MUST define how transport layer security such as SSL/TLS is to be used. The specification MUST profile TLS, by requiring a subset of the defined cipher suites to be supported, for example.
4. The security section of the specification MUST recommend that at least one form of integrity and confidentiality protection of service requests and responses be used by applications, either transport security or payload protection.

[Transaction Security]

5. All trust server responses MUST include a digest of the request payload and the request URL.
6. Techniques for protection against replay attacks MUST be defined in the security considerations section. Specific techniques SHOULD be defined, such as nonce, origination time, and serial numbers in requests, for example.

[Trust Service Trust]

7. Trust services MUST make their public keying information (i.e. the public keys to be used to authenticate the trust service) publicly available in at least the <ds:KeyValue> format, since that is the minimal [XMLDSIG] key representation.
8. The specification MUST support different means of establishing a trust relationship with the trust service, and not be limited to client caching of a trusted certificate or trusted key. Other possibilities include key establishment using a shared secret, for example.

[Authentication]

9. The specification MUST allow use of user-generated pass phrases as a means of authenticating requests in lieu of access to a valid private key. binding.
10. The specification MUST provide a means of employing a secret, agreed out-of-band, between the registration service and end-user as a means of authorizing a registration action. [List( Blair Dillaway)]

[Privacy]

11. The specification MUST state in the security section that concerns over the privacy of registration information may be addressed through server P3P privacy policies. The definition and retrieval mechanisms for these policies are defined in the P3P recommendation and do not require definition in the XKMS specifications [P3P].

[Security considerations]

12. The specification MUST include a discussion of potential vulnerabilities and recommended practices when using the defined processing model in a larger application context. While it is impossible to predict all the ways the specification may be used, the discussion MUST alert users to ways in which potentially subtle weaknesses might be introduced. At a minimum, security issues arising from known plain-text and data length information MUST be addressed.

2.3. Trust Server

1. A server MAY be deployed that implements a subset of XKMS service functionality, such as Locate but not Validate, for example.
2. Selection of differently configured trust services SHOULD use standard HTTP binding techniques such as URLs, rather than requiring the XKMS protocol to define this functionality. For example, a URL may be used to define access to a trust service and possibly distinguish the underlying technologies (e.g. PGP, X509 etc.).
3. The specification MUST define asynchronous registration responses.
4. More generally, the specification MUST allow asynchronous transport of both registration requests and responses, but not require this of trust servers.

2.4. Protocol Capabilities and Formats

1. The specification MUST describe how to register key information, and in particular, associate additional information with the public key. A public key pair may be generated at a client and the public key registered with the trust service; a key pair may be generated at the trust service and the private key may be delivered to the client.
2. The specification MUST describe how to revoke a registered key binding.
3. The specification MUST describe how to update registered public key information. Reasons include the need for atomic transactions and the ability to update a portion of a defined key binding.
4. The specification MUST describe how to support a user recovering their own private key, such as might be needed to restore a lost private encryption key. This requirement does not imply any form of key escrow as used in the sense of mandated government access to private keys.
5. The specification MUST describe how to register more than one public key in a single registration request, supporting bulk registration. The specification MAY generalize this to define how to perform compound requests and obtain compound responses, including both registration and information service messages
6. The specification MUST describe how to request an update as to the status of a multi-key request.

[Key Information Service Capabilities]

7. The specification MUST define a request for retrieving a public key, given a <ds:KeyInfo> element containing one or more children containing key information. The mechanism of processing KeyInfo and obtaining the key is implementation dependent, but a server MUST be able to return key information corresponding to a KeyInfo returned in a registration response from the same server. Population of the server database for responding to service requests (locate and validate) is out of scope and implementation specific.
8. This specification MUST define a protocol for validating the status of a public key and additionally validating the binding between a public key and other related information.
9. The specification MUST describe how a client can specify or determine the context in which a public key binding will be validated {Certicom, Microsoft, Sun, Zolera} [XKMSPositionPapers]. Context enables 4-corner model support for example. As another example, the context may include the trust anchors and certificate policies the client wants the server to use for validation. [List( Yassir Elley)]

[Formats]

10. The specification MUST define payload and header XML formats. XML Protocol bindings may be published as a separate document from the specification to avoid dependencies on the XML Protocol schedule. XML Bindings other than XML Protocol MAY be defined in the specification [List( Blair Dillaway)].
11. The specification MUST define how to convey application context in requests/responses, e.g. transaction amount, arbitrary XML {Microsoft, Sun}
12. All formats SHOULD permit application/trust server extension through the use of additional elements in another namespace.
13. The specification MUST define a unified request/response mechanism across services (Locate, Validate etc.), including uniform error responses, query and response formats.
14. The specification MUST permit opaque data to be associated with a request and returned with the corresponding response. Parties that are not concerned with opaque data may ignore it.
15. The specification MUST define which requests are idempotent (can repeat without ill effect) and which are not.
16. The specification MUST define a protocol that provides the means to match requests and responses.
17. A client SHOULD be able to control the number of key bindings in a response returned (e.g. specify the maximum to be returned).
18. The specification MUST use schema typing and namespace support for the <Respond> element in <Locate> and <Validate> responses (rather than strings). {Reagle}, [WorkshopMeeting]
19. A Validate request MAY also include values to be Located and returned in the response.
20. The specification MUST allow the server to return a subset or superset of the elements requested by the clients. {Reagle} [WorkshopMeeting]. Security implications MUST be discussed in the Security Concerns section of the specification.
21. The specification MUST define unambiguous multi-valued responses, removing the ambiguity possible with valid, invalid and indeterminate key binding status responses, for example.

2.5. Objects and Processing

1. The specification SHOULD define how to register a key for specific uses and how to update the allowed uses over time. [XKMSPositionPapers ]
2. A key registration request MUST be able to specify the appropriate key usage of a key.
3. Key bindings MUST have issuers associated with them.
4. The following KeyInfo formats MUST be supported: KeyName, KeyValue, and RetrievalMethod.

   The X509Certificate KeyInfo format MUST be supported by a trust server if the service claims interoperability with PKIX X.509. Additional KeyInfo formats such as X509Chain, OCSP, and X509CRL MAY be supported. X509Chain and OCSP MUST be defined in the XKMS specifications. X509CRL is defined in the XML Signature recommendation.

   The XKMS registration Private format MUST be supported if the service supports either service generated key pairs or key recovery.[List( Sebastien Pouliot)]

5. Exclusive Canonicalization [ExclusiveCanonicalization] support is required to assure robust XML digital signatures when the context of the XKMS content may be changed, such as in the case of intermediate SOAP processors altering the SOAP envelope context.
6. XML Key Management applications MUST be XML-namespaces [XML-namespaces] aware.
7. XML Key Management applications MUST be XML Schema [XML-schema] aware in that they create XML Key Management instances conforming to the key management schema definitions. {Reagle} Schema validation is not required.
8. Implementation of the specification SHOULD work with existing XML parser and schema implementations. However, alterations to particular DOM and/or XML parser implementations may prove beneficial in terms of simplifying application development or improving runtime efficiency. These details are outside the scope of the XML Key Management specification.
9. The specification SHOULD be compatible with the use of authentication mechanisms carried in SOAP/XML Protocol messages and/or the transport protocol.
10. The specification MUST describe how to provide proof of possession of private keys.
11. The KeyInfo returned in a registration response SHOULD be a unique key identifier for the responder for subsequent service requests. Subsetting this KeyInfo may make this not true. Server implementations may define uniqueness properties and relate them to clients - how this is done is implementation dependent.

3. Out of Scope

These items are out of scope(at least for the initial specifications produced by the working group). In some cases an in-scope requirement (e.g. the ability to use XKMS in the context of the 4 corner model) may imply some of this functionality, but that does not mean the XKMS specification is required to define that functionality.

1. Design of new cryptographic algorithms.
2. Issues of non-repudiation, including but not limited to 'technical non-repudiation' and 'contractual non-repudiation'.
3. Sources of trusted time.
4. Models and data structures for establishing inter-domain trust, including but not limited to 'cross-certification'.
5. Redefining existing PKI structures using an XML syntax, such as redefining certificates in XML. Existing PKI structures may be encapsulated within XML elements however.
6. Specification of inter-domain trust semantics.
7. Authorization issues and more specifically authorization assertions (e.g. SAML).
8. Attribute certificates.
9. Knowledge representation syntax.
10. Audit management.
11. Establishment of trust server key authority delegation [XTAML]. This does not preclude requiring the ability to sign/encrypt requests and responses, nor preclude discussion of establishing trust with the XKMS Trust server. [List ( Stephen Farrell)]
12. The XML Key Management recommendation will not define generic mechanisms for securing SOAP or XML Protocol, but rather define a payload security mechanism. A goal is to reduce external standards dependencies. [List( Blair Dillaway)]
13. Issues of anonymous access and service use are not the primary focus of the work, but may be supported.
14. Private key retrieval services that extend beyond the return of a service-generated private key as part of registration (e.g. Roaming).
15. Server chaining and referral mechanisms.
16. XML Key Management of symmetric keys.
17. Caching support.
18. The specification is not tailored to but does not preclude support of highly constrained devices[List (Yassir Elley)].
19. Defining authentication mechanisms.

4 Coordination

Coordination with other groups is as specified in the Charter [Charter].

1. The Working Group may satisfy the {Payload, Transaction, and Authentication} requirements via its own specification or via normative reference to other specifications. The Working Group SHOULD avoid redundant specification of those features where possible but SHOULD also consider the timely completion of its own deliverable, this choice is at the Working Group's discretion.

5 Intellectual Property

6 References

4-Corner Model

http://www.w3.org/2001/07/xkms-ws/ashwood-4-corners.pdf

DOM

Document Object Model (DOM) Level 3 Core Specification, Version 1.0, W3C Working Draft, Arnaud Le Hors.  22 October 2002.

http://www.w3.org/TR/DOM-Level-3-Core/core.html

Exclusive Canonicalization

Exclusive XML Canonicalization Version 1.0 W3C Recommendation, John Boyer,  Donald E. Eastlake 3rd,  Joseph Reagle18 May 2002

http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/

MIME

RFC2046. MIME Part Two: Media Types November 1996.
http://www.ietf.org/rfc/rfc2046.txt

P3P

The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, W3C Recommendation, Lorrie Cranor,Marc Langheinrich, Massimo Marchiori,  Martin Presler-Marshall,Joseph Reagle, 16 April 2002
http://www.w3.org/TR/P3P/

RFC 2119

"Key words for use in RFCs to Indicate Requirement Levels", S. Bradner, March 1997, RFC 2119.
http://www.ietf.org/rfc/rfc2119.txt

RFC 2459

"Internet X.509 Public Key Infrastructure Certificate and CRL Profile",R. Housley, W. Ford, W. Polk, D. Solo, January 1999, RFC 2459.
http://www.ietf.org/rfc/rfc2459.txt

RFC 2828

"Internet Security Glossary", R. Shirey, May 2000, RFC 2828.
http://www.ietf.org/rfc/rfc2828.txt

SAML

Security Assertion Markup Language (SAML).
http://www.oasis-open.org/committees/security/docs/

SOAP

Simple Object Access Protocol (SOAP) 1.1, W3C Note 08 May 2000.
http://www.w3.org/TR/SOAP/

SOAP Schemas

http://schemas.xmlsoap.org/soap/encoding/
http://schemas.xmlsoap.org/soap/envelope/

TLS

The TLS Protocol, Version 1.0, RFC 2246, T. Dierks, C. Allen.
http://www.ietf.org/rfc/rfc2246.txt

XKMS Activity Statement

http://www.w3.org/2001/XKMS/Activity.html

XKMS Change Proposal

http://www.xmltrustcenter.org/xkms/docs/xkms_change_proposal.html

XKMS Charter

http://www.w3.org/2001/XKMS/2002/11/charter.html

XKMS Mailing Lists

http://lists.w3.org/Archives/Public/www-xkms-ws/

http://lists.w3.org/Archives/Public/www-xkms/

XKMS-Proposal

http://lists.w3.org/Archives/Public/www-xkms-ws/2001Aug/att-0048/02-xkms-activity.html

XKMS 1.1 W3C Note

http://www.w3.org/TR/xkms/

XKMS Workshop Meeting Minutes

http://www.w3.org/2001/07/xkms-ws/minutes.html

XKMS Workshop Position Papers

http://www.w3.org/2001/07/XKMS-Ws/positions/

Meetings

http://lists.w3.org/Archives/Public/www-xkms-ws/2001Nov/0028.html

http://www.w3.org/2001/XKMS/Minutes/011114-tele.html

http://www.w3.org/2001/XKMS/Minutes/011209-slc/011209-slc-f2f1.html

http://www.w3.org/2001/XKMS/Minutes/020123-tele.html

XML

Extensible Markup Language (XML) 1.0 (Second Edition), W3C Recommendation, T. Bray, J. Paoli, C. M. Sperberg-McQueen. 6 October 2000.
http://www.w3.org/TR/REC-xml

XML-C14N

Canonical XML. W3C Recommendation. J. Boyer. March 2001.

http://www.w3.org/TR/2001/REC-xml-c14n-20010315

http://www.ietf.org/rfc/rfc3076.txt

XMLDSIG

XML-Signature Syntax and Processing. W3C Recommendation. D. Eastlake, J. Reagle, and D. Solo. February 2002.
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/

XML Signature Requirements. W3C Working Draft. J. Reagle. October 1999.
http://www.w3.org/TR/1999/WD-xmldsig-requirements-19991014

XML Encryption

XML Encryption Syntax and Processing, W3C Recommendation T. Imamura, B. Dillaway, J. Schaad, E. Simon. December 2002.
http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/

XML Encryption Requirements. W3C Note J. Reagle. March 2002.
http://www.w3.org/TR/2002/NOTE-xml-encryption-req-20020304

XML-ns

Namespaces in XML Recommendation. T. Bray, D. Hollander, A. Layman. January 1999.

http://www.w3.org/TR/1999/REC-xml-names-19990114/

XML Protocol

http://www.w3.org/2002/ws/

XML-schema

XML Schema Part 1: Structures W3C Recommendation. D. Beech, M. Maloney,N. Mendelsohn, H. Thompson. May 2001.

http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/

XML Schema Part 2: Datatypes W3C Recommendation. P. Biron, A. Malhotra. May 2001.

http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/

Universal Description, Discovery & Integration (UDDI) specifications

http://www.uddi.org/specification.html

URI

RFC2396. Uniform Resource Identifiers (URI): Generic Syntax. T. Berners-Lee, R. Fielding, L. Masinter. August 1998 http://www.ietf.org/rfc/rfc2396.txt

Web Services Description Language (WSDL)

W3C Note 15 March 2001 http://www.w3.org/TR/wsdl

XML Trust Axiom Markup Language (XTAML)

http://www.xmltrustcenter.org/research/xtaml/index.htm