RE: [kmip] Groups - detailed_wrap_unwrap_proposal.odt uploaded

["Featherstone, David" <David.Featherstone@safenet-inc.com>]

Thank you.

 

The issue motivating these operations appears to stem from the possibility that a KMIP-compliant server may receive a Register request for a properly wrapped key -- complete with Wrapping Data and including the Encryption Key -- and then quietly store the wrapped key "as is" [i.e. wrapped], rather than unwrap the key and thereby make that key useful for on-server operations such as Encrypt, Decrypt, Sign, etc.

 

A new flag in the Register request -- forcing the server to fail registration of a key that the server cannot (or will not) unwrap prior to storage -- would be preferable to the creation of new operations. The flag might work something like the currently defined Asynchronous Indicator, which tells the server whether the client can accept an asynchronous response. Likewise, a Wrapped Storage Indicator could tell the server that the client can (not) accept wrapped storage of a key. In theory, the client has the option vary this flag with each request.

 

Cheers,

… Dave

 

 

 

-----Original Message-----
From: kmip@lists.oasis-open.org [mailto:kmip@lists.oasis-open.org] On Behalf Of Tim Hudson
Sent: Thursday, July 16, 2015 4:37 PM
To: kmip@lists.oasis-open.org
Subject: Re: [kmip] Groups - detailed_wrap_unwrap_proposal.odt uploaded

 

On 17/07/2015 12:02 AM, Featherstone, David wrote:

> I must have somehow missed the justification for these

> [*Wrap*/*Unwrap*] operations. Given that the spec already supports

> both the *Register* of a wrapped key [which the server unwraps for

> storage], and the *Get* of a key [which the server wraps for export],

> I wonder what motivates these new operations.

 

Multiple discussions over the last two years. Most recently raised by Mark at the face to face.

https://www.oasis-open.org/apps/org/workgroup/kmip/download.php/55464/WrapUnwrap.pptx

 

See face to face minutes and action items for the minutes for the meetings since then tracking the status.

 

And see

https://www.oasis-open.org/apps/org/workgroup/kmip/download.php/52197/KMIP-KeyWrapping.pdf

for the statement of the problem.

 

Tim.

 

 

---------------------------------------------------------------------

To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

 

 

The information contained in this electronic mail transmission 
may be privileged and confidential, and therefore, protected 
from disclosure. If you have received this communication in 
error, please notify us immediately by replying to this 
message and deleting it from your computer without copying 
or disclosing it.