Re: [kmip] Locating Certificates Using KMIP

[Tim Hudson <tjh@cryptsoft.com>]

> I read through the PKCS#11 text again -- you indicated that KMIP was missing
the following….

And it is missing - KMIP does not have the DER encoded version of the issuer or
serial number. It has the currently unspecified textstring representation.

If we define a fixed mandatory mapping for how the textstring representation is
provided for Subject, Issuer, and SerialNumber then we will have the equivalent
for those items - which is what your recently sent proposal update does. I was
commenting on KMIP 1.0 which does not have that text but I see I wasn't clear on
that context in my email.

There is no current requirement that a KMIP user must store the associated
public keys for a certificate and it would be interesting to see views on
requiring that there be associated public key objects for each certificate in
order to support lookups based on the hash of the public key.

Currently Digest is insufficiently specified to be useful for this purpose - as
how the digest if formed hasn't been detailed for contexts where the key value
isn't in a 'raw' format. See last weeks discussion on the topic - so that item
too needs to be sorted out.

So I agree there is a path towards being able to handle this in KMIP that seems
logical - but it requires further items to be specified.

Tim.