Just a quick note regarding a possible alternative approach to
supporting a key rotation for JAX-RS (REST) services.
CXF now supports JWS/JWE/JWK for signing/encrypting the regular HTTP
payloads, a JWS and/or JWE header can use a 'kid' property:
https://tools.ietf.org/html/rfc7515#section-4.1.4
to signal a key change.
I'll have a look at the optional support for this property inside the
consuming CXF JWS/JWE filters to make it done automatically with a
possible fallback to the current/'old' key
Cheers, Sergey
On 02/06/15 17:19, Dennis wrote:
Hello,
In supplement to previous note:
https://wiki.oasis-open.org/kmip/KnownKMIPImplementations
Dennis
-----Original Message-----
From: Dennis [mailto:[email protected]]
Sent: Tuesday, June 02, 2015 12:09 PM
To: [email protected]
Subject: RE: KMIP Support in CXF (ReST & SOAP)
Hello,
If you look at the RSA Conference Demos for the last 5 years where KMIP was
used to address/test a stack of HSMs, the Yes, it is more widespread that XKMS.
Dennis
-----Original Message-----
From: Sergey Beryozkin [mailto:[email protected]]
Sent: Tuesday, June 02, 2015 11:59 AM
To: [email protected]
Subject: Re: KMIP Support in CXF (ReST & SOAP)
Hi
Andrei Shakirin who worked on getting the XKMS code contribution added to CXF
is off till next week, he may have an opinion; IMHO it is good to have multiple
relevant options supported but I'm not sure how easy it is to do KMIP.
Cheers, Sergey
On 02/06/15 09:08, Yossi Cohen wrote:
Hi,
We are currently evaluating several technologies for public/private
key distribution and rotation and I have two questions I was hoping CXF Dev.
could address:
1. I noticed CXF added support in XKMS for public keys (e.g., for
SAML token validation). It appears though that the adoption of KMIP
<http://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol
in industry is more extensive than the adoption of XKMS
<http://en.wikipedia.org/wiki/XKMS>. Does it make sense for CXF to add
support for KMIP? Are there any plans to add this capability and if
yes in which version?
2. For key rotation we need the previous public key to be left active
side-by-side with the new public key until all signatures signed using
the previous private key are no longer in use (e.g., after session expiration).
To support that, we need to be able to customize CXF and implement
logic that tries first to validate the signature using the new public
and upon failure, attempt to re-validate the signature using the
previous public key. That way we guarantee that we don’t break
existing sessions. WDYT about the logic? If you come to implement KMIP
support in CXF, please beware of such customization need.
*Best Regards,*
*Yossi Cohen*
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
