Proposed update to Profiles document

[Bruce Rich <brich@us.ibm.com>]

At last week's TC call, Indra and I
were tasked with coming up with mutually-agreed text to close our issues
with the Profile document.
We would propose replacing
sections 3.1.3.and 3.1.4 of the Profiles document with the following:
============== Beginning of replacement
text ============================
3.1.3 Client authenticity and identity 

For authenticated services (all operations save Query) KMIP servers SHALL
require the use of channel (SSL/TLS) mutual authentication to prove client
authenticity. 

In the absence of Credential information in the request header, KMIP servers
SHALL use the identity derived from the channel authentication as the client
identity. 

In the presence of Credential information in the request header, KMIP servers
SHALL factor such Credential information into their evaluation of client
authenticity and identity, along with the authenticity and identity derived
from the channel.  The exact mechanisms for such evaluation are outside
the scope of this specification.

3.1.4 Object creator

KMIP objects have a creator.
For those KMIP requests that result in new managed objects the client identity
SHALL be used as the creator of the managed object.  For those operations
that only access pre-existent managed objects, the client identity SHALL
be checked against the creator, and access SHALL be controlled as detailed
in section 3.13 of [KMIP].
============== End of replacement text ============================

I won't clutter up this note with a
whole lot of background material, but on the TC call we can certainly discuss
some of the rationale that led us to this proposal. (Or not)

Thanks,
Bruce A Rich
brich at-sign us dot ibm dot com