KMIP Support in CXF (ReST & SOAP)

[Yossi Cohen <Yo...@Amdocs.com>]

Hi,

We are currently evaluating several technologies for public/private key distribution and rotation and I have two questions I was hoping CXF Dev. could address:


1.       I noticed CXF added support in XKMS for public keys (e.g., for SAML token validation). It appears though that the adoption of KMIP<http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol> in industry is more extensive than the adoption of XKMS<http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add support for KMIP? Are there any plans to add this capability and if yes in which version?

2.       For key rotation we need the previous public key to be left active side-by-side with the new public key until all signatures signed using the previous private key are no longer in use (e.g., after session expiration). To support that, we need to be able to customize CXF and implement logic that tries first to validate the signature using the new public and upon failure, attempt to re-validate the signature using the previous public key. That way we guarantee that we don't break existing sessions. WDYT about the logic? If you come to implement KMIP support in CXF, please beware of such customization need.

Best Regards,
Yossi Cohen

This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp