RE: [kmip] Groups - T11 profile for EAP/GPSK/FC-SP-2 (11-022v2.pdf)uploaded

["Fitzgerald, Indra" <indra.fitzgerald@hp.com>]

Hi Bob,

Below are my comments on the T11 profile.

Regards,
Indra

1. X.3.2.1 (c) (should not use TLSv1.2 to provide assurance of client authenticity for the Query operation) is already covered by (b) (shall use TLSv1.2 to provide assurance of mutual authenticity for KMIP messaging, with the exception of the Query operation)

2. X.3.2.3 states that the server shall return an error if the Authentication structure is specified in the Request Header. In particular, according to the profile, the server should return the following: 
a) no Operation field; 
b) a Result Status field set to Operation Failed; and 
c) a Result Reason Enumeration set to Authentication Not Successful.

The Operation needs to be specified in the Response. This is required by the spec. Please see Table 190, which states that Operation is required if specified in Request Batch Item.

Also, depending on the client registration proposal, this behavior should not be required. The Authentication Credential could simply point to the Transport Certificate.

3. X3.3 (d) (A) requires support for Block Cipher Mode. This is not an attribute and does not need to be explicitly specified. It is specified inside Cryptographic Parameter, which is already required by the Server conformance clauses (a). See Section 12.1 2f in the specification.

4. X3.3 (E) (ee) lists the Cryptographic Usage Mask Derive Key. Are keys derived externally (i.e., not by the KMIP server)?

5. x3.3 (G) states that requests containing the Authentication structure shall be rejected. Please see my comment for (2) above.


-----Original Message-----
From: bob.nixon@emulex.com [mailto:bob.nixon@emulex.com] 
Sent: Wednesday, May 11, 2011 3:43 PM
To: kmip@lists.oasis-open.org
Cc: cds@cisco.com
Subject: [kmip] Groups - T11 profile for EAP/GPSK/FC-SP-2 (11-022v2.pdf) uploaded

Ive posted the current draft of the KMIP 1.0 profile for EAP/GPSK/FC-SP-2
that is being developed in INCITS T11.  Given KMIPs intention to
facilitate externally developed profiles, this profile is being developed
as an annex to FC-SP-2 rather than as a KMIP standard or committee draft. I
would appreciate any feedback the KMIP TC membership is willing to offer to
assure that it is consistent to KMIPs expectations as well as technically
correct.

Ive already incorporated some changes recommended by a small group that
included both KMIP and FC-SP-2 expertise.  Full disclosure:  I have not yet
incorporated everything that was recommendedthe members of that smaller
group have to engage in some more arm-twisting. That may succeed. If not,
they will have a more rational T11 group to convince after my retirement at
the end of June   8- )

-	bob


 -- Bob Nixon

The document named T11 profile for EAP/GPSK/FC-SP-2 (11-022v2.pdf) has been
submitted by Bob Nixon to the OASIS Key Management Interoperability
Protocol (KMIP) TC document repository.

Document Description:
This is a draft of a KMIP 1.0 profile being developed in the INCITS T11
work group FC-SP-2. Its intention is to specify requirements for a
KMIP-conformant Key Server to manage shared keys used by EAP/GPSK
authentication in the FC-SP-2 protocol.

View Document Details:
http://www.oasis-open.org/committees/document.php?document_id=42111

Download Document:  
http://www.oasis-open.org/committees/download.php/42111/11-022v2.pdf


PLEASE NOTE:  If the above links do not work for you, your email application
may be breaking the link into two pieces.  You may be able to copy and paste
the entire link address into the address field of your web browser.

-OASIS Open Administration