Hi Susan, > Do .NET clients play well with an XKMS server? Interoperability with .NET > clients is an important concern for me.
I never tried XKMS in .Net, but as far as it is W3C standard, it should work also with .Net: http://msdn.microsoft.com/en-us/library/ms972954.aspx http://www.w3.org/2001/07/xkms-ws/dillaway/XKMSWorkshop_files/frame.htm http://pages.infinit.net/ctech/xkms-part2.html > XKMS does sound interesting, but it > also sounds like XKMS would replace the certs issues by our existing PKI, and > that wouldn't work for us. XKMS doesn't replace PKI, but provide the façade for PKI: http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html That means you can easily plug own lookup and validators into CXF XKMS implementation which will speak with your PKI. Regards, Andrei. > -----Original Message----- > From: Susan Liebeskind [mailto:[email protected]] > Sent: Montag, 14. Oktober 2013 17:38 > To: [email protected] > Subject: Re: CXF WS-Trust/WS-SecureConversation security policy questions > > On 10/14/2013 09:05 AM, Colm O hEigeartaigh wrote: > > Hi Susan, > > > > This sounds like a perfect use-case for XKMS. CXF ships with an XKMS > > service, and also a a WSS4J "Crypto" implementation which can ask the > > remote service for certificates for WS-Security. For example, see the > > following system test: > > > > http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-secu > > rity/src/test/java/org/apache/cxf/systest/ws/xkms/ > > http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-secu > > rity/src/test/resources/org/apache/cxf/systest/ws/xkms/ > > > > I think using XKMS with the Symmetric binding is quite cool, as it > > means the client does not need any keystores/certs at all stored > > locally. I have a blog entry partially written on this that I must > > publish :-) > > > > > > > > Hi Colm, > > Do .NET clients play well with an XKMS server? Interoperability with .NET > clients is an important concern for me. XKMS does sound interesting, but it > also sounds like XKMS would replace the certs issues by our existing PKI, and > that wouldn't work for us. > > I guess it comes down to wanting a way to distribute the server cert back to > the client using the mechanisms available from WS-Trust/STS (signed cert in > the headers) and based on what Dennis has said, that isn't going to be > possible. > > I'll watch eagerly for that next blog post from you out XKMS though :-) > (http://coheigea.blogspot.com/, right?) > > Thanks for the response. > > Susan
