Have a look at Figure 2, which pieces together the different pieces of technology and specifications that have been discussed so far.
Figure 2 XKMS service architecture.
As shown in the figure, a key owner registers his key with an XKMS-compliant service provider who makes use of an underlying PKI to store and bind the keys with identification information. A commercial PKI typically contains a key registration authority, a certification authority, a key validation authority, and a secure keys directory in which all information is stored.
Any Web service that wants to validate a <ds: KeyInfo> element it has received can invoke an XKISS-compliant service that once again makes use of the underlying PKI to complete the process.