The Web Services Advisor
(To receive this column in your inbox,
click Edit your Profile and subscribe.)
An inside look at XKMS
Perhaps the most important of the Web services security standards is XKMS (XML Key Management Specification). It is at the heart of electronic transactions done via Web services, and without it, it's unlikely that Web services will ever be used in a widespread way for business-to-business ecommerce.
XKMS sits at the center of electronic transactions because it is the primary way that trust can be ensured using XML - it verifies that people and businesses are who they say they are, and confirms that they have rights to perform certain transactions. Its purpose is to register and distribute public keys used in XML-based encryption and is designed to solve the problem of how keys can be managed in instances in which parties in a transaction don't know one another.
Understanding PKI and XKMS
XKMS is an XML-based way of managing the Public Key Infrastructure (PKI), a system for encrypting, decrypting, signing, authorizing and verifying the authenticity of information transmitted over the Internet, or people's identities, using public-key cryptography.
In a PKI system, a user or business has two "keys," one public and one private. The public key is available to anyone, while the private key is available only to the user or business itself. The public key is used to encrypt information by those who want to send private information to the user or business. Only the private key of the user or business can decrypt the information, and so only that user or business can read the data.
But PKI suffers from a serious problem, most notably that there is no single PKI standard. Instead, there are a variety of products and technologies that don't necessarily work with one another, such as the ITU's (International Telecommunication Union) X.509 standard, SPKI (Simple PKI), and PGP (Pretty Good Privacy). And even when products or technologies do work with one another, the entire process becomes needlessly complex.
The beauty of XKMS is its simplicity. It doesn't handle the actual work of managing public and private key pairs and other PKI details. Instead, it outsources the jobs of key registration, validation, and similar processes to an XKMS "trust" utility. The XKMS trust utility works with any PKI system, passing the information back and forth between it and the Web service. Because the trust utility does the work, the Web service itself can be kept simple and thin. The nearby figure shows how PKI works without XKMS, and with XKMS - and as you can see, XKMS is certainly simpler.
What XKMS does
XKMS does its magic by performing three basic functions:
- Register PKI depends on private and public key pairs. XKMS services perform the work of registering these key pairs so that they can later be used and retrieved.
- Locate Simply registering keys isn't enough - in order for people to use PKI, public keys need to be able to be located and then retrieved so that they can be used to encrypt documents or verify signatures. XKMS services perform these location and retrieval services.
- Validate What if someone has a public key - how can they know that it's a true, valid one that works? XKMS services handle this validation process. XKMS services can do more than simply validate a key, though. They can also allow people to perform certain tasks or get certain information if their key gives them these rights - for example, retrieving a price quote only available to high-value customers.
XKMS in turn is made up of two standards: the XML Key Information Service Specification (X-KISS) and the XML Key Registration Service Specification (X-KRSS). X-RSS supports the key registration function, while X-KISS performs location and validation of keys.
XKMS in the real world
All this sounds fine in theory. But how would XKMS be used in practice? Let's take an example. Imagine that you're using a Web service to buy products from a supplier, that these products are not normally sold to the public, that you've arranged to get substantial discounts when you buy them, and the Web service uses XKMS for security.
You want to make a purchase, so you use the Web service to make a purchase request, and you also send along the name of your public key. Your request is sent to an XKMS service, which locates the key - and it confirms that you are, in fact, who you say you are.
Just confirming your identity, though, isn't enough to let you make the transaction. Some way has to be found to confirm that you have the right to buy the product, and to detail exactly what kind of discount you qualify for. XKMS handles this by using what are called assertions. Assertions detail privileges, rights, and access capabilities and are tied to a key. So XKMS examines the assertions tied to your key, confirms that you have the right to buy, and details your exact discounts. Your purchase goes through.
Where XKMS stands today
XKMS is already being used in some places today, but at this point, isn't an officially accepted standard. It's still a working draft of the W3C. For the current version of the draft, head to http://www.w3.org/TR/xkms2/.
Even though it's a working draft, there are XKMS toolkits available. A good place to start learning more about XKMS is the XKMS section of Verisign's XML Trust Center at http://www.xmltrustcenter.org/xkms, where you can download a free copy of Verisign's Trust Services Integration Kit, which includes, among other things, Java XKMS APIs. It's still early in the game for XKMS. But you'd do well to start working with it now, because it will most likely be part of the wave of the future.
About the Author
Preston Gralla, a well-known technology expert, is the author of more than 20 books, including "How the Internet Works," which has been translated into 14 languages and sold several hundred thousand copies worldwide. He is an expert on Web services and the author of a major research and white paper for the Software and Information Industry Association on the topic. Gralla was the founding managing editor of PC Week, a founding editor and then editor and editorial director of PC/Computing, and an executive editor for ZDNet and CNet. He has written about technology for more than 15 years for many major magazines and newspapers, including PC Magazine, Computerworld, CIO Magazine, eWeek and its forerunner PC Week, PC/Computing, the Los Angeles Times, USA Today, and the Dallas Morning News among others. As a well-known technology guru, he appears frequently on TV and radio shows and networks, including CNN, MSNBC, ABC World News Now, the CBS Early Show, PBS's All Things Considered and others. He has won a number of awards for his writing, including from the Computer Press Association for the Best Feature in a Computer Publication. He can be reached at firstname.lastname@example.org.
For More Information:
- Looking for XML and .NET developer tips or helpful columns from industry gurus? Visit our Tip Exchange for time-saving short-cuts.
- Visit our huge collection of Best Web Links for Web Services for hand-selected resources by our editors.
- Got questions? Visit our Ask the Experts feature for Web services, SOAP, WSDL, XML, .NET, Java and EAI answers.
- Got an opinion or viewpoint? Discuss this article, post your comments or talk with your peers in our Discussion Forums.