OASIS Public Key Infrastructure TC

OASIS PKI Technical Committee FAQ

  1. What is PKI?

    PKI is a fundamental security technology. PKI can be used for authentication of users, web sites, etc. PKI also provides the basic security required to carry out electronic business so that users who do not know each other, or are widely distributed, can communicate securely using a chain of trust.

  2. Does OASIS maintain or develop the PKI standards?

    No. The PKI standards themselves are addressed by IETF and ISO, bodies with whom OASIS maintains active liaison relationships.

  3. How does PKI fit within the big picture of security standards? Is it a component of Web services?

    First and foremost, PKI is an authentication technology. PKI also provides a foundation for supporting security services such as data integrity, data confidentiality, and non-repudiation. PKI can be used in conjunction with a variety of security standards, including SAML and WS-Security.

  4. How does PKI relate to SAML?

    PKI can be used for end-entity authentication, and information associated with this authentication can be conveyed in a SAML assertion. PKI can also be used to protect SAML messages (e.g., PKI can be used to support persistent digital signatures on SAML assertions).

  5. How does PKI relate to WS-Security?

    WS-Security is an extension to SOAP that allows SOAP messages to be protected from both an integrity and confidentiality perspective. WS-Security leverages XML Signature and XML Encryption combined with security tokens (e.g., an X.509 public key certificate) to provide message integrity and confidentiality. PKI can be used as the underlying technology to support these security services.

  6. How does PKI relate to XKMS?

    XKMS supports a variety of security technologies, including X.509-based PKI. XKMS is designed to hide or remove the complexities of the underlying technology from the client systems. XKMS can support X.509-based lifecycle management functions such as end-entity certificate registration and it can be used to obtain information about X.509 certificates and X.509-based security services (e.g., to verify a digital signature).