kmip message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Proposed update to Profiles document
- From: Bruce Rich <brich@us.ibm.com>
- To: kmip@lists.oasis-open.org
- Date: Wed, 28 Oct 2009 21:41:42 -0500
At last week's TC call, Indra and I
were tasked with coming up with mutually-agreed text to close our issues
with the Profile document.
We would propose replacing
sections 3.1.3.and 3.1.4 of the Profiles document with the following:
============== Beginning of replacement
text ============================
3.1.3 Client authenticity and identity
For authenticated services (all operations save Query) KMIP servers SHALL
require the use of channel (SSL/TLS) mutual authentication to prove client
authenticity.
In the absence of Credential information in the request header, KMIP servers
SHALL use the identity derived from the channel authentication as the client
identity.
In the presence of Credential information in the request header, KMIP servers
SHALL factor such Credential information into their evaluation of client
authenticity and identity, along with the authenticity and identity derived
from the channel. The exact mechanisms for such evaluation are outside
the scope of this specification.
3.1.4 Object creator
KMIP objects have a creator.
For those KMIP requests that result in new managed objects the client identity
SHALL be used as the creator of the managed object. For those operations
that only access pre-existent managed objects, the client identity SHALL
be checked against the creator, and access SHALL be controlled as detailed
in section 3.13 of [KMIP].
============== End of replacement text ============================
I won't clutter up this note with a
whole lot of background material, but on the TC call we can certainly discuss
some of the rationale that led us to this proposal. (Or not)
Thanks,
Bruce A Rich
brich at-sign us dot ibm dot com
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]