You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cxf.apache.org by Yossi Cohen <yo...@gmail.com> on 2015/06/02 10:08:57 UTC

KMIP Support in CXF (ReST & SOAP)

Hi,



We are currently evaluating several technologies for public/private key
distribution and rotation and I have two questions I was hoping CXF Dev.
could address:



1.       I noticed CXF added support in XKMS for public keys (e.g., for
SAML token validation). It appears though that the adoption of KMIP
<http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol> in
industry is more extensive than the adoption of XKMS
<http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add
support for KMIP? Are there any plans to add this capability and if yes in
which version?

2.       For key rotation we need the previous public key to be left active
side-by-side with the new public key until all signatures signed using the
previous private key are no longer in use (e.g., after session expiration).
To support that, we need to be able to customize CXF and implement logic
that tries first to validate the signature using the new public and upon
failure, attempt to re-validate the signature using the previous public
key. That way we guarantee that we don’t break existing sessions. WDYT
about the logic? If you come to implement KMIP support in CXF, please
beware of such customization need.

 *Best Regards,*
*Yossi Cohen*

RE: KMIP Support in CXF (ReST & SOAP)

Posted by Andrei Shakirin <as...@talend.com>.

Hi Yossi,

Sorry for huge delay with a response.

Indeed, KMIP is currently widely adopted in industry as XKMS. Supporting XKMS was the pragmatic solution for CXF, because it provide enough functionality and it is quite easy and quick to implement. As Sergei said, will be nice to provide additional option to manage the keys for the users, however there are no any concrete plans at the moment. Are you interested to make some KMIP relevant contribution in CXF?

Regarding the second question:
Strongly said, from pure security point of view, validation the signatures with expired certificates have to be failed.
The sense of signature verification and the trust chain is that all of the certificates are correct.
So the best practice here will be to renew certificates in advance, before the signing, if certificate rest validity period is smaller as session live time.
However, I have seen the systems what implement the way you described because of pragmatic reasons.

Regards,
Andrei.

> -----Original Message-----
> From: Yossi Cohen [mailto:yossi2cohen@gmail.com]
> Sent: Dienstag, 2. Juni 2015 10:09
> To: dev@cxf.apache.org
> Subject: KMIP Support in CXF (ReST & SOAP)
> 
> Hi,
> 
> 
> 
> We are currently evaluating several technologies for public/private key
> distribution and rotation and I have two questions I was hoping CXF Dev.
> could address:
> 
> 
> 
> 1.       I noticed CXF added support in XKMS for public keys (e.g., for
> SAML token validation). It appears though that the adoption of KMIP
> <http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol> in
> industry is more extensive than the adoption of XKMS
> <http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add
> support for KMIP? Are there any plans to add this capability and if yes in which
> version?
> 
> 2.       For key rotation we need the previous public key to be left active
> side-by-side with the new public key until all signatures signed using the
> previous private key are no longer in use (e.g., after session expiration).
> To support that, we need to be able to customize CXF and implement logic that
> tries first to validate the signature using the new public and upon failure,
> attempt to re-validate the signature using the previous public key. That way we
> guarantee that we don’t break existing sessions. WDYT about the logic? If you
> come to implement KMIP support in CXF, please beware of such customization
> need.
> 
>  *Best Regards,*
> *Yossi Cohen*

Re: KMIP Support in CXF (ReST & SOAP)

Posted by Sergey Beryozkin <sb...@gmail.com>.

Hi

Andrei Shakirin who worked on getting the XKMS code contribution added 
to CXF is off till next week, he may have an opinion; IMHO it is good to 
have multiple relevant options supported but I'm not sure how easy it is 
to do KMIP.

Cheers, Sergey

On 02/06/15 09:08, Yossi Cohen wrote:
> Hi,
>
>
>
> We are currently evaluating several technologies for public/private key
> distribution and rotation and I have two questions I was hoping CXF Dev.
> could address:
>
>
>
> 1.       I noticed CXF added support in XKMS for public keys (e.g., for
> SAML token validation). It appears though that the adoption of KMIP
> <http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol> in
> industry is more extensive than the adoption of XKMS
> <http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add
> support for KMIP? Are there any plans to add this capability and if yes in
> which version?
>
> 2.       For key rotation we need the previous public key to be left active
> side-by-side with the new public key until all signatures signed using the
> previous private key are no longer in use (e.g., after session expiration).
> To support that, we need to be able to customize CXF and implement logic
> that tries first to validate the signature using the new public and upon
> failure, attempt to re-validate the signature using the previous public
> key. That way we guarantee that we don’t break existing sessions. WDYT
> about the logic? If you come to implement KMIP support in CXF, please
> beware of such customization need.
>
>   *Best Regards,*
> *Yossi Cohen*
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

RE: KMIP Support in CXF (ReST & SOAP)

Posted by Dennis <de...@cox.net>.

Hello,

If you look at the RSA Conference Demos for the last 5 years where KMIP was used to address/test a stack
of HSMs, the Yes, it is more widespread that XKMS.

Dennis

-----Original Message-----
From: Sergey Beryozkin [mailto:sberyozkin@gmail.com] 
Sent: Tuesday, June 02, 2015 11:59 AM
To: dev@cxf.apache.org
Subject: Re: KMIP Support in CXF (ReST & SOAP)

Hi

Andrei Shakirin who worked on getting the XKMS code contribution added to CXF is off till next week, he may have an opinion; IMHO it is good to have multiple relevant options supported but I'm not sure how easy it is to do KMIP.

Cheers, Sergey

On 02/06/15 09:08, Yossi Cohen wrote:
> Hi,
>
>
>
> We are currently evaluating several technologies for public/private 
> key distribution and rotation and I have two questions I was hoping CXF Dev.
> could address:
>
>
>
> 1.       I noticed CXF added support in XKMS for public keys (e.g., for
> SAML token validation). It appears though that the adoption of KMIP 
> <http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol
> > in industry is more extensive than the adoption of XKMS 
> <http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add 
> support for KMIP? Are there any plans to add this capability and if 
> yes in which version?
>
> 2.       For key rotation we need the previous public key to be left active
> side-by-side with the new public key until all signatures signed using 
> the previous private key are no longer in use (e.g., after session expiration).
> To support that, we need to be able to customize CXF and implement 
> logic that tries first to validate the signature using the new public 
> and upon failure, attempt to re-validate the signature using the 
> previous public key. That way we guarantee that we don’t break 
> existing sessions. WDYT about the logic? If you come to implement KMIP 
> support in CXF, please beware of such customization need.
>
>   *Best Regards,*
> *Yossi Cohen*
>


--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Re: KMIP Support in CXF (ReST & SOAP)

Posted by Sergey Beryozkin <sb...@gmail.com>.

Just a quick note regarding a possible alternative approach to 
supporting a key rotation for JAX-RS (REST) services.

CXF now supports JWS/JWE/JWK for signing/encrypting the regular HTTP 
payloads, a JWS and/or JWE header can use a 'kid' property:

https://tools.ietf.org/html/rfc7515#section-4.1.4

to signal a key change.
I'll have a look at the optional support for this property inside the 
consuming CXF JWS/JWE filters to make it done automatically with a 
possible fallback to the current/'old' key

Cheers, Sergey


On 02/06/15 17:19, Dennis wrote:
> Hello,
>
> In supplement to previous note:
>
> https://wiki.oasis-open.org/kmip/KnownKMIPImplementations
>
> Dennis
>
> -----Original Message-----
> From: Dennis [mailto:dennisk@cox.net]
> Sent: Tuesday, June 02, 2015 12:09 PM
> To: dev@cxf.apache.org
> Subject: RE: KMIP Support in CXF (ReST & SOAP)
>
> Hello,
>
> If you look at the RSA Conference Demos for the last 5 years where KMIP was used to address/test a stack of HSMs, the Yes, it is more widespread that XKMS.
>
> Dennis
>
> -----Original Message-----
> From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
> Sent: Tuesday, June 02, 2015 11:59 AM
> To: dev@cxf.apache.org
> Subject: Re: KMIP Support in CXF (ReST & SOAP)
>
> Hi
>
> Andrei Shakirin who worked on getting the XKMS code contribution added to CXF is off till next week, he may have an opinion; IMHO it is good to have multiple relevant options supported but I'm not sure how easy it is to do KMIP.
>
> Cheers, Sergey
>
> On 02/06/15 09:08, Yossi Cohen wrote:
>> Hi,
>>
>>
>>
>> We are currently evaluating several technologies for public/private
>> key distribution and rotation and I have two questions I was hoping CXF Dev.
>> could address:
>>
>>
>>
>> 1.       I noticed CXF added support in XKMS for public keys (e.g., for
>> SAML token validation). It appears though that the adoption of KMIP
>> <http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol
>>> in industry is more extensive than the adoption of XKMS
>> <http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add
>> support for KMIP? Are there any plans to add this capability and if
>> yes in which version?
>>
>> 2.       For key rotation we need the previous public key to be left active
>> side-by-side with the new public key until all signatures signed using
>> the previous private key are no longer in use (e.g., after session expiration).
>> To support that, we need to be able to customize CXF and implement
>> logic that tries first to validate the signature using the new public
>> and upon failure, attempt to re-validate the signature using the
>> previous public key. That way we guarantee that we don’t break
>> existing sessions. WDYT about the logic? If you come to implement KMIP
>> support in CXF, please beware of such customization need.
>>
>>    *Best Regards,*
>> *Yossi Cohen*
>>
>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>

RE: KMIP Support in CXF (ReST & SOAP)

Posted by Dennis <de...@cox.net>.

Hello,

In supplement to previous note:

https://wiki.oasis-open.org/kmip/KnownKMIPImplementations

Dennis

-----Original Message-----
From: Dennis [mailto:dennisk@cox.net] 
Sent: Tuesday, June 02, 2015 12:09 PM
To: dev@cxf.apache.org
Subject: RE: KMIP Support in CXF (ReST & SOAP)

Hello,

If you look at the RSA Conference Demos for the last 5 years where KMIP was used to address/test a stack of HSMs, the Yes, it is more widespread that XKMS.

Dennis

-----Original Message-----
From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
Sent: Tuesday, June 02, 2015 11:59 AM
To: dev@cxf.apache.org
Subject: Re: KMIP Support in CXF (ReST & SOAP)

Hi

Andrei Shakirin who worked on getting the XKMS code contribution added to CXF is off till next week, he may have an opinion; IMHO it is good to have multiple relevant options supported but I'm not sure how easy it is to do KMIP.

Cheers, Sergey

On 02/06/15 09:08, Yossi Cohen wrote:
> Hi,
>
>
>
> We are currently evaluating several technologies for public/private 
> key distribution and rotation and I have two questions I was hoping CXF Dev.
> could address:
>
>
>
> 1.       I noticed CXF added support in XKMS for public keys (e.g., for
> SAML token validation). It appears though that the adoption of KMIP 
> <http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol
> > in industry is more extensive than the adoption of XKMS
> <http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add 
> support for KMIP? Are there any plans to add this capability and if 
> yes in which version?
>
> 2.       For key rotation we need the previous public key to be left active
> side-by-side with the new public key until all signatures signed using 
> the previous private key are no longer in use (e.g., after session expiration).
> To support that, we need to be able to customize CXF and implement 
> logic that tries first to validate the signature using the new public 
> and upon failure, attempt to re-validate the signature using the 
> previous public key. That way we guarantee that we don’t break 
> existing sessions. WDYT about the logic? If you come to implement KMIP 
> support in CXF, please beware of such customization need.
>
>   *Best Regards,*
> *Yossi Cohen*
>


--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com